Vulnerability Development mailing list archives

Re: Cisco Catalyst switches


From: mudge () L0PHT COM (Mudge)
Date: Wed, 14 Jun 2000 08:46:59 -0500


Here are some attack vectors which we have used in the labs in the past.

The switches talk one of a few limited ISL
(Inter-Switch-Link) variants. Through this it is often possible to send
user-add, user-move, tag-bassed-flood, and spanning tree
announcements. Once a switch believes you are actually another switch
attached to it you win.

Various arp games can often times be quite useful. How does the switch in
question handle gratuitous arps from directed broadcast addresses?

Then there are other games with vendor specific components such as cisco's
CDP (Cisco Discovery Protocol) - again often times in an effort to
say: "Hey, I'm another switch - get that in your head and let's start
talking".

Folks would be wise in remembering that switches are still, largely,
layer-2 devices and layer-2 has no notion of security. The VLANs were
originally designed to minimize broadcast traffic - not provide security.

Cisco has introduced something they call a silent VLAN which is
interesting and fun to play with, but often times the above attack vectors
are still succesful.

Keeping disparate security level components on the same device and
infrastructure is often fine for keeping honest folks honest (ie, let's
provide more separation between HR and R&D in a company) - but is often
not the best direction to go when one of the components is an unknown.

Companies that locate systems at most ASP's should be aware of this - your
competitor is often times a lot closer to your systems than you realize.

cheers,

.mudge

On Wed, 14 Jun 2000, Saso wrote:

In message <3BE20D737CCE4C4589F5D72274652F200D67E1 () nacsvr05 nac cwo net au>, Ma
tthew King writes:
Hi.

Hi,


It would be interesting if there was a vulnerability that allowed you to
break the VLAN definitions.. I know many companies that practically run
their entire networks together into several Catalysts via VLANS :) Secure
networks and public ones right next to each other.

And all those switches are conveniently joined together and share some
VLANs, so that people don't have to worry about getting longer UTP
cables. Been there, seen that.

Cisco still doesn't QA their Catalyst switches as security devices and
that should ring a bell with most clueful IT personnel. However, sad
truth is, that most abuse VLAN capability as security
feature. Sometimes, under heavier loads, VLANs can (and do) leak
packets.

I thought that based on the nature of VLANS that they would not be
susceptible to attack from the network layer because they switch traffic
based on the port number, not on any content of the frame or packet? Still,
it would be interesting :)

Switches switch packets depending on MAC address certain ports are
assigned, but not all Network Admins go the length to lock MAC
addresses to certain ports, leaving their switches susceptible to ARP
packet storms. And once switch's ARP table is filled, most tend to
fail-open, flooding all the ports with all the traffic that traverses
the switch.

Also, Ryan Russell wrote a short e-mail concerning Cisco's Catalyst
switches back in 1998
<http://www.nfr.net/firewall-wizards/mail-archive/1998/Nov/0036.html>.

IMHO, as much as I avoid using switch as a security device, I still
believe that _properly configured_, it can be reasonably secured against
most script kiddies. But it won't stop the determined attacker that
poses enough skills, clue and resources to break thru VLANs and get
the information they want. YMMV.

Regards,

Saso



Current thread: