Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] S21sec-034-en: Cisco VTP DoS vulnerability

from [S21sec Labs] Network Security [Permanent Link]
Subject: [Full-disclosure] S21sec-034-en: Cisco VTP DoS vulnerability
Date: Fri, 26 Jan 2007 11:46:43 -0800 
###############################################################
ID: S21SEC-034-en
Title: Cisco VTP Denial Of Service
Date: 26/01/2007
Status: Vendor contacted, bug fixed
Severity: Medium - DoS - remote from the local subnet
Scope: Cisco Catalyst Switch denial of service
Platforms: IOS
Author: Alfredo Andres Omella, David Barroso Berrueta
Location: http://www.s21sec.com/es/avisos/s21sec-034-en.txt
Release: Public
###############################################################

                                S 2 1 S E C

                           http://www.s21sec.com

                        Cisco VTP Denial Of Service


About VTP
---------

VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used for  
VLAN centralized management.
For instance, when you configure a VLAN in a switch, the VLAN  
information (the VLAN name and its identifier)
will be configured automatically in all the switches that belong to  
the same VTP domain.


Description of vulnerability
----------------------------

VTP uses Subset-Advert messages to advertise the existing VLANs  
within a VTP domain,
sending a malformed crafted packet it is possible to force a switch  
"crash & reload". In order to trigger the vulnerability,
you need to previously set up the trunking (manually or using  
Yersinia DTP attack).


Affected Versions and platforms
-------------------------------

This vulnerability has been tested against Cisco Catalyst 2950T  
switches with IOS 12.1(22)EA3.
Other versions are probably vulnerable.


Solution
--------

According to Cisco PSIRT, it is already fixed. We don't know all the  
details because
Cisco tagged (back in 2005) the issue as an "internal bug", not as a  
security vulnerability.
Upgrade your IOS to the latest release.


Additional information
----------------------

This vulnerability has been found and researched by:

    David Barroso Berrueta   dbarroso@s21sec.com
    Alfredo Andres Omella     aandres@s21sec.com

It was found on January 2005 and shown in a real demo at BlackHat  
Europe Briefings 2005 (March 2005) (Yersinia, a framework for layer 2  
attacks).
Some months later, FX from Phenoelit found other VTP vulnerabilities:
http://www.securityfocus.com/archive/1/445896/30/0/threaded
Cisco released then an answer to FX (http://www.cisco.com/warp/public/ 
707/cisco-sr-20060913-vtp.shtml) but as there is no any comment about  
this
specific vulnerability we suppose that it is not related with this one.

This vulnerability has been implemented in the current Yersinia  
version, under the VTP attacks (see the src/vtp.c file) .
Yersinia homepage: http://www.yersinia.net

You can find this advisory at:
http://www.s21sec.com/en/avisos/s21sec-034-en.txt

Other S21SEC advisories availabe at http://www.s21sec.com/en/avisos/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] [c-nsp] Cisco Security Advisory: Crafted IP Option Vulnerability, Wendy Garvin
Next by Date:  [Full-disclosure] iDefense Security Advisory 01.26.07: Multiple Vendor libchm Page Block Length Memory Corruption Vulnerability, iDefense Labs
Previous by Thread:  [Full-disclosure] [x0n3-h4ck] Siteman 1.1.11 Remote Md5 Hash Disclosure Vulnerability, corrado.liotta
Next by Thread:  Re: [Full-disclosure] S21sec-034-en: Cisco VTP DoS vulnerability, Clay Seaman-Kossmeyer
Indexes:  [Date] [Thread] [Top] [All Lists]