> -----Original Message-----
> From: psirt@xxxxxxxxx [mailto:psirt@xxxxxxxxx]
> Sent: Wednesday, September 13, 2006 10:27 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: Cisco IOS VTP issues
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
> This is a Cisco response to an advisory published by FX of Phenoelit
> posted as of September 13, 2006 at:
>
> and entitled "Cisco Systems IOS VTP multiple vulnerabilities".
>
> An official response is located at:
>
>
> These vulnerabilities are addressed by Cisco bug IDs:
>
> * CSCsd52629/CSCsd34759 -- VTP version field DoS
>
> * CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
>
> * CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name
>
> We would like to thank FX and Phenoelit Group for reporting these
> vulnerabilities to us. We greatly appreciate the opportunity to work
> with researchers on security vulnerabilities, and welcome the
> opportunity to review and assist in security vulnerability reports
> against Cisco products.
>
> Additional Information
> ======================
>
> VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that
> maintains VLAN configuration consistency by managing the addition,
> deletion, and renaming of VLANs on a network-wide basis. When you
> configure a new VLAN on one VTP server, the VLAN configuration
> information is distributed via the VTP protocol through all switches
> in the domain. This reduces the need to configure the same VLAN
> everywhere. VTP is a Cisco-proprietary protocol that is available on
> most of the Cisco Catalyst series products in both Cisco IOS and
> Cisco CatOS system software.
>
> Products affected by these vulnerabilities:
> +------------------------------------------
>
> * Switches running affected versions of Cisco IOS and have VTP
> Operating Mode as either "server" or "client" are affected by all
> three vulnerabilities.
> * Switches running affected versions of Cisco CatOS and have VTP
> Operating Mode as either "server" or "client" are only affected
> by "Integer Wrap in VTP revision" vulnerability.
>
> Products not affected by these vulnerabilities:
> +----------------------------------------------
>
> * Switches configured with VTP operating mode as "transparent".
> * Switches running CatOS with VTP Operating Mode as either "server"
> or "client" are not affected by "Buffer Overflow in VTP VLAN
> name" or "VTP Version field DoS" vulnerabilities
>
> To determine the VTP mode on the switch, log into the device and
> issue the "show vtp status" (IOS) or "show vtp domain" (CatOS)
> command. Switches that show either "Server" or "Client" as the VTP
> operating mode are affected by these vulnerabilities.
>
> An example is shown below for Cisco IOS with VTP operating in
> "Server" mode:
>
> ios_switch#sh vtp stat
> VTP Version : 2
> Configuration Revision : 0
> Maximum VLANs supported locally : 1005
> Number of existing VLANs : 5
> VTP Operating Mode : Server
> VTP Domain Name : test
> VTP Pruning Mode : Disabled
> VTP V2 Mode : Enabled
> VTP Traps Generation : Disabled
> MD5 digest : <removed>
> Configuration last modified by 0.0.0.0 at 3-1-93 04:02:09
> ios_switch#
>
> An example is shown below for Cisco CatOS with VTP operating in
> "Server" mode:
>
> catos_switch> (enable) sh vtp domain
> Version : running VTP1 (VTP3 capable)
> Domain Name : test Password : not configured
> Notifications: disabled Updater ID: 0.0.0.0
>
> Feature Mode Revision
> -------------- -------------- -----------
> VLAN Server 2
>
> Pruning : disabled
> VLANs prune eligible: 2-1000
> catos_switch> (enable)
>
>
> * VTP Version field DoS:
>
> The VTP feature in certain versions of Cisco IOS software may be
> vulnerable to a crafted packet sent from the local network
> segment which may lead to a denial of service condition. When a
> switch receives a specially crafted VTP summary packet, the
> switch will reset with a Software Forced Crash Exception.
> Messages for either "watchdog timeout" or "CPU hog" for process
> VLAN Manager will be seen prior to the software reset within the
> syslog messages generated by the switch.
> The packets must be received on a trunk enabled port.
>
> Switches running CatOS are not affected by this vulnerability and
> will display a log message "%VTP-2-RXINVSUMMARY:rx invalid
> summary from [port number]" should a specially crafted summary
> packet be received.
>
> There are no workarounds for this vulnerability. Switches
> configured with a VTP domain password are still affected by this
> vulnerability. Cisco recommends that customer upgrade to a
> version of Cisco IOS that contains the fixes for either
> CSCsd52629 or CSCsd34759.
>
> * Buffer Overflow in VTP VLAN name:
>
> The VTP feature in certain versions of Cisco IOS software is
> vulnerable to a buffer overflow condition and potential execution
> of arbitrary code. If a VTP summary advertisement is received
> with a Type-Length-Value (TLV) containing a VLAN name greater
> than 100 characters, the receiving switch will reset with an
> Unassigned Exception error. The packets must be received on a
> trunk enabled port, with a matching domain name and a matching
> VTP domain password (if configured).
>
> Applying a VTP domain password to the VTP domain will prevent
> spoofed VTP summary advertisement message from advertising an
> incorrect VLAN name. See
> product/lan/c3550/12119ea1/3550scg/swvtp.htm#1035247 for further
> information on setting VTP domain passwords.
>
> * Integer Wrap in VTP revision:
>
> The VTP feature in certain versions of Cisco IOS software and
> Cisco CatOS software will display statistic counters as a
> negative number due to an integer wrap. Normal VTP operation will
> occur if no changes are made within the VTP domain. With the
> addition of switches or resetting of a VTP server configuration
> revision, VTP updates potentially may not be processed by other
> VTP servers/clients within the domain. Should any switches be
> impacted by this vulnerability, customers should execute the
> recovery procedures as listed below.
>
> Once the VTP configuration revision exceeds 0x7FFFFFFF, the
> output for the VTP configuration revision in "show vtp status"
> (IOS) or "show vtp domain" (CatOS) will display as a negative
> number. Operation of the switch is not affected, however further
> changes to the VLAN database may not be properly propagated
> throughout the VTP domain.
>
> Example from Cisco IOS:
>
> ios_switch#sh vtp stat
> VTP Version : 2
> Configuration Revision : -2147483648
> Maximum VLANs supported locally : 1005
> Number of existing VLANs : 17
> VTP Operating Mode : Client
> VTP Domain Name : psirt
> VTP Pruning Mode : Disabled
> VTP V2 Mode : Disabled
> VTP Traps Generation : Disabled
> MD5 digest : <removed>
> Configuration last modified by 0.0.0.0 at 3-1-93 00:10:07
> ios_switch#
>
> Example from Cisco CatOS:
>
> catos_switch# (enable) sh vtp domain
> Version : running VTP1 (VTP3 capable)
> Domain Name : psirt Password : not configured
> Notifications: disabled Updater ID: 0.0.0.0
>
> Feature Mode Revision
> -------------- -------------- -----------
> VLAN Server -2147483648
>
> Pruning : disabled
> VLANs prune eligible: 2-1000
>
> Applying a VTP domain password to the VTP domain will prevent
> spoofed VTP summary advertisement messages from advertising
> 0x7FFFFFFF as a configuration revision number. See http://
> www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12119ea1/
> 3550scg/swvtp.htm#1035247 for further information on setting VTP
> domain passwords
>
> To recover from the negative configuration revision due to
> exploitation, the following methods can be performed to recover
> the VTP domain operations:
>
> * Change VTP domain names on all switches.
>
> * Change all VTP servers/clients to transparent mode first. Then
> change back to their original server/client mode.
>
>
> For further information on VTP please refer to:
>
>
> For further information on Layer 2 security practices please refer
> to:
>
> networking_solutions_white_paper09186a008014870f.shtml#wp998892
>
> Regards
> Paul Oxman
> PSIRT Incident Manager
> Cisco Systems
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (SunOS)
>
> iD8DBQFFCE4G8NUAbBmDaxQRAuIDAJ9t5ReIlSTSbag3CAIwZkaeX03BiQCdECvp
> guqCOs3Ye94iIwOSl/m4Ou8=
> =5viy
> -----END PGP SIGNATURE-----
>
