Vulnerabilities in Cisco switches
In Cisco switches with Cisco's IOS and CatOS operating systems, VLAN management packets can trigger a denial of service or even be used to infiltrate malware. The VLAN trunking protocol (VTP) is a proprietary network level 2 Cisco protocol, through which special management stations can pass information on newly arrived or changed VLANs to other Cisco switches. The vulnerabilities are present only when devices are configured as client or server, not in transparent mode.
A member of the "white hat" hacker group Phenoelit, identified only as FX, has detected three flaws in the VTP functions. A long VTP-VLAN name can trigger a buffer overflow onto the stack, which might be used to execute code. Unusual values in the version field may, under certain circumstances, trigger a reset with a "Software Forced Crash Exception". Finally an integer variable can overflow, which, however, would merely result in a negative version value being displayed and isn't a critical problem. Cisco has made updates available for all three problems.
- Cisco VLAN Trunking Protocol Vulnerabilities, security bulletin from Cisco
- Cisco Systems IOS VTP multiple vulnerabilities, bug report from FX
- UNIRAS Advisory (UK Gov CERT)