Full Disclosure mailing list archives
S21sec-034-en: Cisco VTP DoS vulnerability
From: S21sec Labs <labs () s21sec com>
Date: Fri, 26 Jan 2007 11:46:43 -0800
############################################################### ID: S21SEC-034-en Title: Cisco VTP Denial Of Service Date: 26/01/2007 Status: Vendor contacted, bug fixed Severity: Medium - DoS - remote from the local subnet Scope: Cisco Catalyst Switch denial of service Platforms: IOS Author: Alfredo Andres Omella, David Barroso Berrueta Location: http://www.s21sec.com/es/avisos/s21sec-034-en.txt Release: Public ############################################################### S 2 1 S E C http://www.s21sec.com Cisco VTP Denial Of Service About VTP --------- VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used for VLAN centralized management. For instance, when you configure a VLAN in a switch, the VLAN information (the VLAN name and its identifier) will be configured automatically in all the switches that belong to the same VTP domain. Description of vulnerability ---------------------------- VTP uses Subset-Advert messages to advertise the existing VLANs within a VTP domain, sending a malformed crafted packet it is possible to force a switch "crash & reload". In order to trigger the vulnerability, you need to previously set up the trunking (manually or using Yersinia DTP attack). Affected Versions and platforms ------------------------------- This vulnerability has been tested against Cisco Catalyst 2950T switches with IOS 12.1(22)EA3. Other versions are probably vulnerable. Solution -------- According to Cisco PSIRT, it is already fixed. We don't know all the details because Cisco tagged (back in 2005) the issue as an "internal bug", not as a security vulnerability. Upgrade your IOS to the latest release. Additional information ---------------------- This vulnerability has been found and researched by: David Barroso Berrueta dbarroso () s21sec com Alfredo Andres Omella aandres () s21sec com It was found on January 2005 and shown in a real demo at BlackHat Europe Briefings 2005 (March 2005) (Yersinia, a framework for layer 2 attacks). Some months later, FX from Phenoelit found other VTP vulnerabilities: http://www.securityfocus.com/archive/1/445896/30/0/threaded Cisco released then an answer to FX (http://www.cisco.com/warp/public/ 707/cisco-sr-20060913-vtp.shtml) but as there is no any comment about this specific vulnerability we suppose that it is not related with this one. This vulnerability has been implemented in the current Yersinia version, under the VTP attacks (see the src/vtp.c file) . Yersinia homepage: http://www.yersinia.net You can find this advisory at: http://www.s21sec.com/en/avisos/s21sec-034-en.txt Other S21SEC advisories availabe at http://www.s21sec.com/en/avisos/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- S21sec-034-en: Cisco VTP DoS vulnerability S21sec Labs (Jan 26)
- Re: S21sec-034-en: Cisco VTP DoS vulnerability Clay Seaman-Kossmeyer (Jan 29)
- Re: S21sec-034-en: Cisco VTP DoS vulnerability Clay Seaman-Kossmeyer (Jan 29)