SANS ISC: cisco vtp vulnerabilities - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

FX reported three vulnerabilities for cisco vtp.
http://www.securityfocus.com/archive/1/445896/30/0/threaded

Cisco responded with this public response.
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name possible remote code execution.
VTP passwords mitigate this one somewhat as long as the passwords are not easily guessable or well known.

CSCsd52629/CSCsd34759 -- VTP version field DoS
VTP passwords do not mitigate this vulnerability as this takes place before the vtp password would be used.

CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
This one appears to be a cosmetic issue not a DOS.
Cisco was unable to recreate a DOS condition one in their testing.

FX in the original posting provided a text version of the packet needed to perform the buffer overflow in vtp vlan name. That can easily be converted to a pcap. I consider that to be a public release of the exploit.

If you have not set a vtp mode then VTP server is the default mode.
If not set to transparent mode the vtp could be vulnerable depending on code level.

To set a vtp password execute the command

vtp password $PAssw0rd_th@t_15_h@rd_2_guess

From the cisco response:
"Products affected by these vulnerabilities:

Switches running affected versions of Cisco IOS® software that have VTP Operating Mode as either "server" or "client" are affected by all three vulnerabilities

Switches running affected versions of Cisco CatOS that have VTP Operating Mode as either "server" or "client" are only affected by the "Integer Wrap in VTP revision" vulnerability

Products not affected by these vulnerabilities:

Switches configured with VTP operating mode as "transparent"

Switches running CatOS with VTP Operating Mode as either "server" or "client" are not affected by the "Buffer Overflow in VTP VLAN name" or "VTP Version field DoS" vulnerabilities"