Secunia

FX has reported some vulnerabilities in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable network device.

1) An error exists in the handling of summary packets in the VLAN Truncing Protocol (VTP). This can be exploited to reset the switch with a Software Forced Crash Exception by sending a specially crafted packet to a trunk enabled port.

2) An integer overflow error exists in the VTP configuration revision handling. This can be exploited to prevent that changes to the VLAN database are properly propagated throughout the VTP domain by sending a specially crafted packet containing 0x7FFFFFFF as a configuration revision number.

3) A boundary error exists in the processing of VTP summary advertisement messages. This can be exploited to cause a heap-based buffer overflow by sending a specially crafted message containing an overly long VLAN name (more than 100 characters) to a trunk enabled port.

Successful exploitation may allow arbitrary code execution.

NOTE: The packets must be received with a matching domain name and a matching VTP domain password (if configured).

The vulnerabilities affect Cisco IOS with a VTP Operating Mode as either "server" or "client".

Solution
A fix is reportedly available for vulnerability #1. The vendor also recommends applying a VTP domain password to the VTP domain (see the vendor's advisory for details).

Provided and/or discovered by
FX, Phenoelit.

Changelog
Further details available in Customer Area

Original Advisory
Phenoelit:
http://www.phenoelit.de/stuff/CiscoVTP.txt

Cisco:
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area