This is a multi-part message in MIME format. ------_=_NextPart_001_01C56C58.458A74D0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Title: Voice VLAN Access/Abuse Possible on Cisco voice-enabled, = 802.1x-secured Interfaces=20 Vulnerability Discovery: FishNet Security - = http://www.fishnetsecurity.com =20 Date: 06/08/2005 Severity: Medium - Voice VLAN locally accessible despite voice-enabled = ports being 802.1x-secured Vendor: http://www.cisco.com =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Summary: Cisco switches that support both 802.1x security and Cisco IP Phones = have the ability to differentiate between access of the voice VLAN by Cisco IP Phones and access of the = data VLAN by devices connected to the auxiliary ports (daisy-chained) of IP Phones. Thus 802.1x = port-level security can be achieved on switch ports connected to Cisco IP Phones which are, in turn, = connected to end-user devices. -------------------------------------------------------------------------= - Description of Issue: In this configuration data VLAN access provided to devices connected to = IP Phone auxiliary ports is authenticated via 802.1x. Unfortunately access to the voice VLAN cannot = be so securely authenticated due to the lack of 802.1x supplicant software in Cisco IP Phones. It has = been found that a specifically crafted Cisco Discovery Protocol (CDP) message is sent from = the Cisco IP Phone to the switch which opens access to the voice VLAN for frames originating from = that Cisco IP Phone's MAC address. Although 802.1x port-security may be configured on the switch = port voice VLAN access is trivially gained by spoofing a CDP message. -------------------------------------------------------------------------= - Risk Mitigation: There is no *fix* to this issue as of yet. The true resolution would be = to provide 802.1x supplicant software on IP phones such that voice VLAN and data VLAN access are both = 802.1x authenticated. Traditionally, access to the voice VLAN of a voice-enabled system such = as is described above was provided by a switch to any device without authentication. Cisco has = provided the ability to differentiate between phones and other devices albeit in a such away = that voice VLAN access is still trivially gained. It should be noted that this configuration is still = preferred over the old method which uses no authentication for either VLAN. However, it is still = important to note that true port-level authentication is still not being provided. Currently the = best way to mitigate the risk introduced by unauthorized voice VLAN access is to implement traditional = security measures as well as some of the advanced security features available in Cisco networking = equipment. Cisco CallManager 4.x and certain Cisco IP Phones now support the authentication of phone = registration through the use of certificates. Features like this reduce the risk of unauthorized voice = VLAN access if other necessary controls are also put into place such as the following:=20 * Disable telnet on phones. * Always use cryptographically secure management protocols such as SSH, = HTTPS, and SNMPv3 when possible to lower the risk of eavesdropping that ARP poisoning and DNS = manipulation attacks present. * Disable all administrative access to network infrastructure from voice = VLAN addresses. * Configure dynamic ARP inspection to lower the risk of ARP poisoning = attacks. * Configure DHCP snooping to lower the risk of DHCP server spoofing = attacks. * Configure limits on the amount of MAC addresses allowed to be = connected to a switch port. This will lower the risk of port-stealing by overwhelming the switch CAM table. * Configure storm control to limit the risk of a DOS attack via = non-unicast traffic. * Configure proper filtering between voice and data networks to ensure = that even if unauthorized voice VLAN access is achieved the risk presented by this access is less than = the risk posed by unauthorized data VLAN access. -------------------------------------------------------------------------= - References: http://www.fishnetsecurity.com/csirt/disclosure/cisco/ =20 =20 http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solu= tions_white_paper09186a00801b 7a50.shtml =20 The information transmitted in this e-mail is intended only for the = addressee and may contain confidential and/or privileged material.=20 Any interception, review, retransmission, dissemination, or other use = of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject = them to criminal or civil liability. If you received this communication=20 in error, please contact us immediately at 816.421.6611, and delete the = communication from any computer or network system. ------_=_NextPart_001_01C56C58.458A74D0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

Title: Voice VLAN Access/Abuse Possible on Cisco voice-enabled,=20 802.1x-secured Interfaces

Vulnerability Discovery: FishNet Security - http://www.fishnetsecurity.com

Date: 06/08/2005

Severity: Medium - Voice VLAN locally accessible despite = voice-enabled ports=20 being 802.1x-secured

Vendor: http://www.cisco.com

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

Summary:

Cisco switches that support both 802.1x security and Cisco IP Phones = have the=20 ability to differentiate between access of the voice VLAN by Cisco IP = Phones and=20 access of the data VLAN by devices connected to the auxiliary ports=20 (daisy-chained) of IP Phones. Thus 802.1x port-level security can be = achieved on=20 switch ports connected to Cisco IP Phones which are, in turn, connected = to=20 end-user devices.

----------------------------------------------------------------------= ----

Description of Issue:

In this configuration data VLAN access provided to devices connected = to IP=20 Phone auxiliary ports is authenticated via 802.1x. Unfortunately access = to the=20 voice VLAN cannot be so securely authenticated due to the lack of 802.1x = supplicant software in Cisco IP Phones. It has been found that a = specifically=20 crafted Cisco Discovery Protocol (CDP) message is sent from the Cisco IP = Phone=20 to the switch which opens access to the voice VLAN for frames = originating from=20 that Cisco IP Phone's MAC address. Although 802.1x port-security may be=20 configured on the switch port voice VLAN access is trivially gained by = spoofing=20 a CDP message.

----------------------------------------------------------------------= ----

Risk Mitigation:

There is no *fix* to this issue as of yet. The true resolution would = be to=20 provide 802.1x supplicant software on IP phones such that voice VLAN and = data=20 VLAN access are both 802.1x authenticated. Traditionally, access to the = voice=20 VLAN of a voice-enabled system such as is described above was provided = by a=20 switch to any device without authentication. Cisco has provided the = ability to=20 differentiate between phones and other devices albeit in a such away = that voice=20 VLAN access is still trivially gained. It should be noted that this=20 configuration is still preferred over the old method which uses no=20 authentication for either VLAN. However, it is still important to note = that true=20 port-level authentication is still not being provided. Currently the = best way to=20 mitigate the risk introduced by unauthorized voice VLAN access is to = implement=20 traditional security measures as well as some of the advanced security = features=20 available in Cisco networking equipment. Cisco CallManager 4.x and = certain Cisco=20 IP Phones now support the authentication of phone registration through = the use=20 of certificates. Features like this reduce the risk of unauthorized = voice VLAN=20 access if other necessary controls are also put into place such as the=20 following:

* Disable telnet on phones.

* Always use cryptographically secure management protocols such as = SSH,=20 HTTPS, and SNMPv3 when possible to lower the risk of eavesdropping that = ARP=20 poisoning and DNS manipulation attacks present.

* Disable all administrative access to network infrastructure from = voice VLAN=20 addresses.

* Configure dynamic ARP inspection to lower the risk of ARP poisoning = attacks.

* Configure DHCP snooping to lower the risk of DHCP server spoofing=20 attacks.

* Configure limits on the amount of MAC addresses allowed to be = connected to=20 a switch port. This will lower the risk of port-stealing by overwhelming = the=20 switch CAM table.

* Configure storm control to limit the risk of a DOS attack via = non-unicast=20 traffic.

* Configure proper filtering between voice and data networks to = ensure that=20 even if unauthorized voice VLAN access is achieved the risk presented by = this=20 access is less than the risk posed by unauthorized data VLAN access.

----------------------------------------------------------------------= ----

References:

http://www.fishnetsecurity.com/csirt/disclosure/cisco/

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networ= king_solutions_white_paper09186a00801b7a50.shtml


The = information transmitted in this e-mail is intended only for the = addressee and may contain confidential and/or privileged material. =
Any interception, review, retransmission, dissemination, or other = use of, or taking of any action upon this information by persons or = entities
other than the intended recipient is prohibited by law and = may subject them to criminal or civil liability. If you received this = communication
in error, please contact us immediately at = 816.421.6611, and delete the communication from any computer or network = system.

------_=_NextPart_001_01C56C58.458A74D0--