Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15877
HistoryJan 28, 2007 - 12:00 a.m.

S21sec-034-en: Cisco VTP DoS vulnerability

2007-01-2800:00:00
vulners.com
18
JSON

###############################################################
ID: S21SEC-034-en
Title: Cisco VTP Denial Of Service
Date: 26/01/2007
Status: Vendor contacted, bug fixed
Severity: Medium - DoS - remote from the local subnet
Scope: Cisco Catalyst Switch denial of service
Platforms: IOS
Author: Alfredo Andres Omella, David Barroso Berrueta
Location: http://www.s21sec.com/es/avisos/s21sec-034-en.txt
Release: Public
###############################################################

                            S 2 1 S E C

                       http://www.s21sec.com

                    Cisco VTP Denial Of Service

About VTP

VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used for
VLAN centralized management.
For instance, when you configure a VLAN in a switch, the VLAN
information (the VLAN name and its identifier)
will be configured automatically in all the switches that belong to
the same VTP domain.

Description of vulnerability

VTP uses Subset-Advert messages to advertise the existing VLANs
within a VTP domain,
sending a malformed crafted packet it is possible to force a switch
"crash & reload". In order to trigger the vulnerability,
you need to previously set up the trunking (manually or using
Yersinia DTP attack).

Affected Versions and platforms

This vulnerability has been tested against Cisco Catalyst 2950T
switches with IOS 12.1(22)EA3.
Other versions are probably vulnerable.

Solution

According to Cisco PSIRT, it is already fixed. We don't know all the
details because
Cisco tagged (back in 2005) the issue as an "internal bug", not as a
security vulnerability.
Upgrade your IOS to the latest release.

Additional information

This vulnerability has been found and researched by:

David Barroso Berrueta   [email protected]
Alfredo Andres Omella     [email protected]

It was found on January 2005 and shown in a real demo at BlackHat
Europe Briefings 2005 (March 2005) (Yersinia, a framework for layer 2
attacks).
Some months later, FX from Phenoelit found other VTP vulnerabilities:
http://www.securityfocus.com/archive/1/445896/30/0/threaded
Cisco released then an answer to FX (http://www.cisco.com/warp/public/
707/cisco-sr-20060913-vtp.shtml) but as there is no any comment about
this
specific vulnerability we suppose that it is not related with this one.

This vulnerability has been implemented in the current Yersinia
version, under the VTP attacks (see the src/vtp.c file) .
Yersinia homepage: http://www.yersinia.net

You can find this advisory at:
http://www.s21sec.com/en/avisos/s21sec-034-en.txt

Other S21SEC advisories availabe at http://www.s21sec.com/en/avisos/

JSON