VTP stands for VLAN Trunking Protocol, a protocol used for configuring and administering VLANs on Cisco network devices.
Cisco Systems IOS contains bugs when handling the VLAN Trunking Protocol (VTP). Specially crafted packets may cause Denial of Service conditions, confusion of the network operator and a heap overflow with the possibility for arbitrary code execution.
Cisco IOS suffers from several bugs in the VTP handling code. All issues require VTP to be in server or client mode. Transparent mode (default) is not affected.
Denial of Service:
When sending a VTP version 1 summary frame to a Cisco IOS device and setting the VTP version field to value 2, the device stops working. Apparently, the VTP handling process will loop and is terminated by the systems watchdog process, reloading the device.
Integer wrap in VTP revision:
If an attacker can send VTP updates (summary and sub) to a Cisco IOS or CatOS device, he can choose the revision of the VTP information. A revision of 0x7FFFFFFF will be accepted by IOS. When the switches VLAN configuration is changed by an operator, IOS increases the revision, which becomes 0x80000000 and seems to be internally tracked by a signed integer variable. The revision is therefore seen as large negative value. From this point in time on, the switch will not be able to communicate changed VLAN configurations, since the generated updates will be rejected by all other switches.
VLAN name heap overflow:
If an attacker can send VTP updates to a Cisco IOS device, the type 2 frames contain records for each individual VLAN in the update. One field of the VTP records contains the name of the VLAN, another field the length of this name. Sending an update with VLAN name above 100 bytes and correctly reflecting the length in the VLAN name length field causes a heap overflow. The overflow can be exploited to execute arbitrary code on the receiving switch. The maximum length of a VLAN name in VTP is 255 bytes.
Example:
The following is an example frame for issue 3. The appropriate VTP
summary advertisement (type 1) must be sent before this
Notes:
The VTP management domain is needed for the summary advertisement to be correct. This information is distributed via CDP if enabled.
The attacker has to be on a trunk port for VTP frames to be accepted. The Dynamic Trunk Protocol (DTP) can be used to become a trunking peer.
Solution:
Cisco Systems provides fixed software, which can be found based on the following bug IDs:
CSCsd52629/CSCsd34759 -- VTP version field DoS
CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name
In general, it is recommended to configure a shared VTP password, which will be used in an MD5 hash to protect the summary advertisement.
Disclosure Timeline:
* 06.07.05 - Initial Notification, gaus@cisco.com
* 12.07.05 - PSIRT member Wendy Garvin took over
* 14.07.05 - Wendy states the there is a fix for one of the issues
* 19.07.05 - According to Wendy, Cisco has trouble reproducing the issues and finding the affected code
* 27.07.05 - Wendy notifies FX about fixed code 12.09.06 Phenoelit advisory goes to Cisco (FX just forgot about it, too much to hack, too little time, but the PSIRT party in Vegas was a good reminder)
* 13.09.06 - Final advisory going public as coordinated release
