Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: cisco vtp vulnerabilities SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
cisco vtp vulnerabilities

FX reported three vulnerabilities for cisco vtp.
http://www.securityfocus.com/archive/1/445896/30/0/threaded

Cisco responded with this public response.
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name possible remote code execution.
VTP passwords mitigate this one somewhat as long as the passwords are not easily guessable or well known.

CSCsd52629/CSCsd34759 -- VTP version field DoS
VTP passwords do not mitigate this vulnerability as this takes place before the vtp password would be used.

CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
This one appears to be a cosmetic issue not a DOS.
Cisco was unable to recreate a DOS condition one in their testing.

FX in the original posting provided a text version of the packet needed to perform the buffer overflow in vtp vlan name. That can easily be converted to a pcap. I consider that to be a public release of the exploit.

If you have not set a vtp mode then VTP server is the default mode.
If not set to transparent mode the vtp could be vulnerable depending on code level.

To set a vtp password execute the command

vtp password $PAssw0rd_th@t_15_h@rd_2_guess

From the cisco response:
"Products affected by these vulnerabilities:

Switches running affected versions of Cisco IOSŪ software that have VTP Operating Mode as either "server" or "client" are affected by all three vulnerabilities

Switches running affected versions of Cisco CatOS that have VTP Operating Mode as either "server" or "client" are only affected by the "Integer Wrap in VTP revision" vulnerability

Products not affected by these vulnerabilities:

Switches configured with VTP operating mode as "transparent"

Switches running CatOS with VTP Operating Mode as either "server" or "client" are not affected by the "Buffer Overflow in VTP VLAN name" or "VTP Version field DoS" vulnerabilities"

donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!