###############################################################
ID: S21SEC-034-en
Title: Cisco VTP Denial Of Service
Date: 23/01/2007
Status: Vendor contacted, bug fixed
Severity: Medium - DoS - remote from the local subnet
Scope: Cisco Catalyst Switch denial of service
Platforms: IOS
Author: Alfredo Andres Omella, David Barroso Berrueta
Location: http://www.s21sec.com/en/avisos/s21sec-034-en.txt
Release: Public
###############################################################


S 2 1 S E C


http://www.s21sec.com


Cisco VTP Denial Of Service




About VTP
---------


VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used for VLAN centralized management.
For instance, when you configure a VLAN in a switch, the VLAN information (the VLAN name and its identifier)
will be configured automatically in all the switches that belong to the same VTP domain.






Description of vulnerability
----------------------------


VTP uses Subset-Advert messages to advertise the existing VLANs within a VTP domain,
sending a malformed crafted packet it is possible to force a switch "crash & reload".






Affected Versions and platforms
-------------------------------


This vulnerability has been tested against Cisco Catalyst 2950T switches with IOS 12.1(22)EA3.
Other versions are probably vulnerable.






Solution
--------


According to Cisco PSIRT, it is already fixed. We don't know the real state because
Cisco has managed the issue as an "internal bug", not as a security vulnerability.
Upgrade your IOS to the latest release.




Additional information
----------------------


This vulnerability has been found and researched by:


David Barroso Berrueta dbarroso@s21sec.com
Alfredo Andres Omella aandres@s21sec.com


It was found on February 2005 and shown in a real demo at BlackHat Europe 2005 (March 2005) (Yersinia, a framework for layer 2 attacks).


FX from Phenoelit some months later found other VTP vulnerabilities: http://www.securityfocus.com/archive/1/445896/30/0/threaded


This vulnerability has been implemented in the current Yersinia version, under the VTP attacks.


Yersinia homepage: http://www.yersinia.net


You can find this warning lastest version at:


http://www.s21sec.com/es/avisos/s21sec-034-en.txt


And other S21SEC advisories in http://www.s21sec.com/es/avisos/