CERT-MU Vulnerability Note VN-2008-12

Cisco VLAN Trunking Protocol Vulnerability

Original Issue Date: November 10, 2008

Severity Rating: High

Systems Affected

• Cisco IOS or CatOS (Catalyst OS ) that have VTP Operating Mode as either "server" or "client"
• Cisco IOS with Ethernet Switch Modules for Cisco 800/2600/2800/3600/3700/3800

Series Routers that have VTP Operating Mode as either "server" or "client"

Overview

A Denial of Service Vulnerability has been reported in Cisco Catalyst OS and Cisco IOS Software that could allow a remote attacker to cause a denial of service (DoS) condition.

Description

VTP (VLAN Trunking Protocol) packets are used to dynamically communicate VLAN changes between switches. The vulnerability is due to an error when the software handles malformed VTP packets. A local attacker could exploit this vulnerability by submitting a specially crafted VTP packet sent from the local network segment to a switch port that is configured for trunking. This could cause the device to crash, resulting in a DoS condition. A remote attacker can also exploit this vulnerability through a network segment that is directly attached to the affected switch.

Workarounds

• Physically secure any network segments that connect to vulnerable ports on vulnerable devices.
• Connect vulnerable trunk ports only to trusted and secure hosts or devices.
• Disable Dynamic Trunking Protocol (DTP) on all non-trunk ports.
• Follow Security best practices given in Cisco Security Response Notice

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

CISCO

http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml

References

CISCO
http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml

SecurityTracker
http://www.securitytracker.com/alerts/2008/Nov/1021144.html

Secunia
http://secunia.com/Advisories/32573/

FrSIRT
http://www.frsirt.com/english/advisories/2008/3031

AusCERT
http://www.auscert.org.au/render.html?it=10039