Vulnerability Development mailing list archives
Re: Cisco Catalyst switches
From: mudge () L0PHT COM (Mudge)
Date: Wed, 14 Jun 2000 08:46:59 -0500
Here are some attack vectors which we have used in the labs in the past. The switches talk one of a few limited ISL (Inter-Switch-Link) variants. Through this it is often possible to send user-add, user-move, tag-bassed-flood, and spanning tree announcements. Once a switch believes you are actually another switch attached to it you win. Various arp games can often times be quite useful. How does the switch in question handle gratuitous arps from directed broadcast addresses? Then there are other games with vendor specific components such as cisco's CDP (Cisco Discovery Protocol) - again often times in an effort to say: "Hey, I'm another switch - get that in your head and let's start talking". Folks would be wise in remembering that switches are still, largely, layer-2 devices and layer-2 has no notion of security. The VLANs were originally designed to minimize broadcast traffic - not provide security. Cisco has introduced something they call a silent VLAN which is interesting and fun to play with, but often times the above attack vectors are still succesful. Keeping disparate security level components on the same device and infrastructure is often fine for keeping honest folks honest (ie, let's provide more separation between HR and R&D in a company) - but is often not the best direction to go when one of the components is an unknown. Companies that locate systems at most ASP's should be aware of this - your competitor is often times a lot closer to your systems than you realize. cheers, .mudge On Wed, 14 Jun 2000, Saso wrote:
In message <3BE20D737CCE4C4589F5D72274652F200D67E1 () nacsvr05 nac cwo net au>, Ma tthew King writes:Hi.Hi,It would be interesting if there was a vulnerability that allowed you to break the VLAN definitions.. I know many companies that practically run their entire networks together into several Catalysts via VLANS :) Secure networks and public ones right next to each other.And all those switches are conveniently joined together and share some VLANs, so that people don't have to worry about getting longer UTP cables. Been there, seen that. Cisco still doesn't QA their Catalyst switches as security devices and that should ring a bell with most clueful IT personnel. However, sad truth is, that most abuse VLAN capability as security feature. Sometimes, under heavier loads, VLANs can (and do) leak packets.I thought that based on the nature of VLANS that they would not be susceptible to attack from the network layer because they switch traffic based on the port number, not on any content of the frame or packet? Still, it would be interesting :)Switches switch packets depending on MAC address certain ports are assigned, but not all Network Admins go the length to lock MAC addresses to certain ports, leaving their switches susceptible to ARP packet storms. And once switch's ARP table is filled, most tend to fail-open, flooding all the ports with all the traffic that traverses the switch. Also, Ryan Russell wrote a short e-mail concerning Cisco's Catalyst switches back in 1998 <http://www.nfr.net/firewall-wizards/mail-archive/1998/Nov/0036.html>. IMHO, as much as I avoid using switch as a security device, I still believe that _properly configured_, it can be reasonably secured against most script kiddies. But it won't stop the determined attacker that poses enough skills, clue and resources to break thru VLANs and get the information they want. YMMV. Regards, Saso
Current thread:
- Cisco Catalyst switches hg/jb (Jun 12)
- Re: Cisco Catalyst switches Jeremy Guthrie (Jun 14)
- Solaris ufsroot exploit Job de Haas (Jun 14)
- Exploit code for PalmOS Aviram Jenik (Jun 14)
- <Possible follow-ups>
- Re: Cisco Catalyst switches Matthew King (Jun 13)
- Re: Cisco Catalyst switches Jay Tribick (Jun 13)
- Re: Cisco Catalyst switches Andy Murren (Jun 13)
- Re: Cisco Catalyst switches rpc (Jun 13)
- Re: Cisco Catalyst switches Rostislav Opocensky (Jun 13)
- Re: Cisco Catalyst switches Saso (Jun 13)
- Re: Cisco Catalyst switches Mudge (Jun 14)
- Re: Cisco Catalyst switches Jeremy Guthrie (Jun 14)
- Problems with: xcdroast, gatos, xkobo, xbill, iagno, ++ Elias Levy (Jun 14)
- Re: Cisco Catalyst switches Mudge (Jun 14)
- Re: Cisco Catalyst switches suid () SUID KG (Jun 13)
- Update on TopLayer Advisory nawk (Jun 13)
- Re: Cisco Catalyst switches Blue Boar (Jun 13)
- Re: Cisco Catalyst switches Martin Hamilton (Jun 14)