This is a multi-part message in MIME format.

------_=_NextPart_001_01C56C58.458A74D0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Title: Voice VLAN Access/Abuse Possible on Cisco voice-enabled, =
802.1x-secured Interfaces=20

Vulnerability Discovery: FishNet Security - =
http://www.fishnetsecurity.com
<http://www.fishnetsecurity.com/>=20

Date: 06/08/2005

Severity: Medium - Voice VLAN locally accessible despite voice-enabled =
ports being 802.1x-secured

Vendor: http://www.cisco.com <http://www.cisco.com/>=20

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Summary:

Cisco switches that support both 802.1x security and Cisco IP Phones =
have the ability to differentiate
between access of the voice VLAN by Cisco IP Phones and access of the =
data VLAN by devices connected
to the auxiliary ports (daisy-chained) of IP Phones. Thus 802.1x =
port-level security can be achieved
on switch ports connected to Cisco IP Phones which are, in turn, =
connected to end-user devices.

-------------------------------------------------------------------------=
-

Description of Issue:

In this configuration data VLAN access provided to devices connected to =
IP Phone auxiliary ports is
authenticated via 802.1x. Unfortunately access to the voice VLAN cannot =
be so securely authenticated
due to the lack of 802.1x supplicant software in Cisco IP Phones. It has =
been found that a
specifically crafted Cisco Discovery Protocol (CDP) message is sent from =
the Cisco IP Phone to the
switch which opens access to the voice VLAN for frames originating from =
that Cisco IP Phone's MAC
address. Although 802.1x port-security may be configured on the switch =
port voice VLAN access is
trivially gained by spoofing a CDP message.

-------------------------------------------------------------------------=
-

Risk Mitigation:

There is no *fix* to this issue as of yet. The true resolution would be =
to provide 802.1x supplicant
software on IP phones such that voice VLAN and data VLAN access are both =
802.1x authenticated.
Traditionally, access to the voice VLAN of a voice-enabled system such =
as is described above was
provided by a switch to any device without authentication. Cisco has =
provided the ability to
differentiate between phones and other devices albeit in a such away =
that voice VLAN access is still
trivially gained. It should be noted that this configuration is still =
preferred over the old method
which uses no authentication for either VLAN. However, it is still =
important to note that true
port-level authentication is still not being provided. Currently the =
best way to mitigate the risk
introduced by unauthorized voice VLAN access is to implement traditional =
security measures as well as
some of the advanced security features available in Cisco networking =
equipment. Cisco CallManager 4.x
and certain Cisco IP Phones now support the authentication of phone =
registration through the use of
certificates. Features like this reduce the risk of unauthorized voice =
VLAN access if other necessary
controls are also put into place such as the following:=20

* Disable telnet on phones.

* Always use cryptographically secure management protocols such as SSH, =
HTTPS, and SNMPv3 when
possible to lower the risk of eavesdropping that ARP poisoning and DNS =
manipulation attacks present.

* Disable all administrative access to network infrastructure from voice =
VLAN addresses.

* Configure dynamic ARP inspection to lower the risk of ARP poisoning =
attacks.

* Configure DHCP snooping to lower the risk of DHCP server spoofing =
attacks.

* Configure limits on the amount of MAC addresses allowed to be =
connected to a switch port. This will
lower the risk of port-stealing by overwhelming the switch CAM table.

* Configure storm control to limit the risk of a DOS attack via =
non-unicast traffic.

* Configure proper filtering between voice and data networks to ensure =
that even if unauthorized voice
VLAN access is achieved the risk presented by this access is less than =
the risk posed by unauthorized
data VLAN access.

-------------------------------------------------------------------------=
-

References:

http://www.fishnetsecurity.com/csirt/disclosure/cisco/
<http://www.fishnetsecurity.com/csirt/disclosure/cisco/>=20

<http://www.fishnetsecurity.com/advisory_link>=20

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solu=
tions_white_paper09186a00801b
7a50.shtml
<http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_sol=
utions_white_paper09186a00801
b7a50.shtml>=20



The information transmitted in this e-mail is intended only for the =
addressee and may contain confidential and/or privileged material.=20
Any interception, review, retransmission, dissemination, or other use =
of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject =
them to criminal or civil liability. If you received this communication=20
in error, please contact us immediately at 816.421.6611, and delete the =
communication from any computer or network system.



------_=_NextPart_001_01C56C58.458A74D0
Content-Type: text/html;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1476" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2><FONT size=3D2>
<P>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
</P>
<P>Title: Voice VLAN Access/Abuse Possible on Cisco voice-enabled,=20
802.1x-secured Interfaces </P>
<P>Vulnerability Discovery: FishNet Security - </FONT><A=20
href=3D"http://www.fishnetsecurity.com/"><U><FONT color=3D#0000ff=20
size=3D2>http://www.fishnetsecurity.com</U></FONT></A></P><FONT =
size=3D2>
<P>Date: 06/08/2005</P>
<P>Severity: Medium - Voice VLAN locally accessible despite =
voice-enabled ports=20
being 802.1x-secured</P>
<P>Vendor: </FONT><A href=3D"http://www.cisco.com/"><U><FONT =
color=3D#0000ff=20
size=3D2>http://www.cisco.com</U></FONT></A></P><FONT size=3D2>
<P>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
</P>
<P>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
</P>
<P>Summary:</P>
<P>Cisco switches that support both 802.1x security and Cisco IP Phones =
have the=20
ability to differentiate between access of the voice VLAN by Cisco IP =
Phones and=20
access of the data VLAN by devices connected to the auxiliary ports=20
(daisy-chained) of IP Phones. Thus 802.1x port-level security can be =
achieved on=20
switch ports connected to Cisco IP Phones which are, in turn, connected =
to=20
end-user devices.</P>
<P>----------------------------------------------------------------------=
----</P>
<P>Description of Issue:</P>
<P>In this configuration data VLAN access provided to devices connected =
to IP=20
Phone auxiliary ports is authenticated via 802.1x. Unfortunately access =
to the=20
voice VLAN cannot be so securely authenticated due to the lack of 802.1x =

supplicant software in Cisco IP Phones. It has been found that a =
specifically=20
crafted Cisco Discovery Protocol (CDP) message is sent from the Cisco IP =
Phone=20
to the switch which opens access to the voice VLAN for frames =
originating from=20
that Cisco IP Phone's MAC address. Although 802.1x port-security may be=20
configured on the switch port voice VLAN access is trivially gained by =
spoofing=20
a CDP message.</P>
<P>----------------------------------------------------------------------=
----</P>
<P>Risk Mitigation:</P>
<P>There is no *fix* to this issue as of yet. The true resolution would =
be to=20
provide 802.1x supplicant software on IP phones such that voice VLAN and =
data=20
VLAN access are both 802.1x authenticated. Traditionally, access to the =
voice=20
VLAN of a voice-enabled system such as is described above was provided =
by a=20
switch to any device without authentication. Cisco has provided the =
ability to=20
differentiate between phones and other devices albeit in a such away =
that voice=20
VLAN access is still trivially gained. It should be noted that this=20
configuration is still preferred over the old method which uses no=20
authentication for either VLAN. However, it is still important to note =
that true=20
port-level authentication is still not being provided. Currently the =
best way to=20
mitigate the risk introduced by unauthorized voice VLAN access is to =
implement=20
traditional security measures as well as some of the advanced security =
features=20
available in Cisco networking equipment. Cisco CallManager 4.x and =
certain Cisco=20
IP Phones now support the authentication of phone registration through =
the use=20
of certificates. Features like this reduce the risk of unauthorized =
voice VLAN=20
access if other necessary controls are also put into place such as the=20
following: </P>
<P>* Disable telnet on phones.</P>
<P>* Always use cryptographically secure management protocols such as =
SSH,=20
HTTPS, and SNMPv3 when possible to lower the risk of eavesdropping that =
ARP=20
poisoning and DNS manipulation attacks present.</P>
<P>* Disable all administrative access to network infrastructure from =
voice VLAN=20
addresses.</P>
<P>* Configure dynamic ARP inspection to lower the risk of ARP poisoning =

attacks.</P>
<P>* Configure DHCP snooping to lower the risk of DHCP server spoofing=20
attacks.</P>
<P>* Configure limits on the amount of MAC addresses allowed to be =
connected to=20
a switch port. This will lower the risk of port-stealing by overwhelming =
the=20
switch CAM table.</P>
<P>* Configure storm control to limit the risk of a DOS attack via =
non-unicast=20
traffic.</P>
<P>* Configure proper filtering between voice and data networks to =
ensure that=20
even if unauthorized voice VLAN access is achieved the risk presented by =
this=20
access is less than the risk posed by unauthorized data VLAN access.</P>
<P>----------------------------------------------------------------------=
----</P>
<P>References:</P></FONT><FONT size=3D2>
<P></FONT><A=20
href=3D"http://www.fishnetsecurity.com/csirt/disclosure/cisco/"><U><FONT =

color=3D#0000ff=20
size=3D2>http://www.fishnetsecurity.com/csirt/disclosure/cisco/</U></FONT=
></A></P><A=20
href=3D"http://www.fishnetsecurity.com/advisory_link"><U><FONT =
color=3D#0000ff=20
size=3D2></U></FONT></A><FONT size=3D2>
<P></FONT><A=20
href=3D"http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/network=
ing_solutions_white_paper09186a00801b7a50.shtml"><U><FONT=20
color=3D#0000ff=20
size=3D2>http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networ=
king_solutions_white_paper09186a00801b7a50.shtml</U></FONT></A></P></FONT=
></DIV></BODY><!--[object_id=3D#fishnetsecurity.com#]--><P><FONT =
face=3DTahoma color=3D#808080 size=3D1><FONT size=3D1><FONT =
face=3DTahoma><FONT color=3D#808080></FONT>
<HR>
</FONT></FONT></FONT><FONT face=3DTahoma color=3D#808080 size=3D1>The =
information transmitted in this e-mail is intended only for the =
addressee and may contain confidential and/or privileged material. =
<BR>Any interception, review, retransmission, dissemination, or other =
use of, or taking of any action upon this information by persons or =
entities<BR>other than the intended recipient is prohibited by law and =
may subject them to criminal or civil liability. If you received this =
communication <BR>in error, please contact us immediately at =
816.421.6611, and delete the communication from any computer or network =
system.</FONT></P></HTML>

------_=_NextPart_001_01C56C58.458A74D0--