exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

s21sec-034-en.txt

s21sec-034-en.txt
Posted Jan 27, 2007
Authored by David Barroso, Alfredo Andres Omella | Site s21sec.com

The Cisco Catalyst switch suffers from a denial of service vulnerability related to VTP.

tags | advisory, denial of service
systems | cisco
SHA-256 | 0f9bb8c8c7b5e234ea5320969317bf70ea0f63174091b38c82e5721e6cb32d88

s21sec-034-en.txt

Change Mirror Download
###############################################################
ID: S21SEC-034-en
Title: Cisco VTP Denial Of Service
Date: 26/01/2007
Status: Vendor contacted, bug fixed
Severity: Medium - DoS - remote from the local subnet
Scope: Cisco Catalyst Switch denial of service
Platforms: IOS
Author: Alfredo Andres Omella, David Barroso Berrueta
Location: http://www.s21sec.com/es/avisos/s21sec-034-en.txt
Release: Public
###############################################################

S 2 1 S E C

http://www.s21sec.com

Cisco VTP Denial Of Service


About VTP
---------

VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used for
VLAN centralized management.
For instance, when you configure a VLAN in a switch, the VLAN
information (the VLAN name and its identifier)
will be configured automatically in all the switches that belong to
the same VTP domain.


Description of vulnerability
----------------------------

VTP uses Subset-Advert messages to advertise the existing VLANs
within a VTP domain,
sending a malformed crafted packet it is possible to force a switch
"crash & reload". In order to trigger the vulnerability,
you need to previously set up the trunking (manually or using
Yersinia DTP attack).


Affected Versions and platforms
-------------------------------

This vulnerability has been tested against Cisco Catalyst 2950T
switches with IOS 12.1(22)EA3.
Other versions are probably vulnerable.


Solution
--------

According to Cisco PSIRT, it is already fixed. We don't know all the
details because
Cisco tagged (back in 2005) the issue as an "internal bug", not as a
security vulnerability.
Upgrade your IOS to the latest release.


Additional information
----------------------

This vulnerability has been found and researched by:

David Barroso Berrueta dbarroso@s21sec.com
Alfredo Andres Omella aandres@s21sec.com

It was found on January 2005 and shown in a real demo at BlackHat
Europe Briefings 2005 (March 2005) (Yersinia, a framework for layer 2
attacks).
Some months later, FX from Phenoelit found other VTP vulnerabilities:
http://www.securityfocus.com/archive/1/445896/30/0/threaded
Cisco released then an answer to FX (http://www.cisco.com/warp/public/
707/cisco-sr-20060913-vtp.shtml) but as there is no any comment about
this
specific vulnerability we suppose that it is not related with this one.

This vulnerability has been implemented in the current Yersinia
version, under the VTP attacks (see the src/vtp.c file) .
Yersinia homepage: http://www.yersinia.net

You can find this advisory at:
http://www.s21sec.com/en/avisos/s21sec-034-en.txt

Other S21SEC advisories availabe at http://www.s21sec.com/en/avisos/

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close