|
Cisco IOS VTP Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA21896
|
|
|
Release Date:
|
2006-09-14
|
|
Last Update:
|
2006-09-29
|
|
Popularity:
|
10,165 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Manipulation of data
DoS
System access
|
|
Where:
|
From local network
|
|
Solution Status:
|
Vendor Workaround
|
|
| OS: | Cisco IOS 10.x
Cisco IOS 11.x
Cisco IOS 12.x
Cisco IOS R11.x
Cisco IOS R12.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2006-4774
CVE-2006-4775
CVE-2006-4776
|
|
Description:
FX has reported some vulnerabilities in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable network device.
1) An error exists in the handling of summary packets in the VLAN Truncing Protocol (VTP). This can be exploited to reset the switch with a Software Forced Crash Exception by sending a specially crafted packet to a trunk enabled port.
2) An integer overflow error exists in the VTP configuration revision handling. This can be exploited to prevent that changes to the VLAN database are properly propagated throughout the VTP domain by sending a specially crafted packet containing 0x7FFFFFFF as a configuration revision number.
3) A boundary error exists in the processing of VTP summary advertisement messages. This can be exploited to cause a heap-based buffer overflow by sending a specially crafted message containing an overly long VLAN name (more than 100 characters) to a trunk enabled port.
Successful exploitation may allow arbitrary code execution.
NOTE: The packets must be received with a matching domain name and a matching VTP domain password (if configured).
The vulnerabilities affect Cisco IOS with a VTP Operating Mode as either "server" or "client".
Solution:
A fix is reportedly available for vulnerability #1. The vendor also recommends applying a VTP domain password to the VTP domain (see the vendor's advisory for details).
Provided and/or discovered by:
FX, Phenoelit.
Changelog:
2006-09-18: Added CVE references.
2006-09-29: Added links to US-CERT vulnerability notes.
Original Advisory:
Phenoelit:
http://www.phenoelit.de/stuff/CiscoVTP.txt
Cisco:
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml
Other References:
US-CERT VU#175148:
http://www.kb.cert.org/vuls/id/175148
US-CERT VU#542108:
http://www.kb.cert.org/vuls/id/542108
US-CERT VU#821420:
http://www.kb.cert.org/vuls/id/821420
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
