AV:R/AC:L/Au:R/C:C/I:C/A:C/B:N/E:U/RL:O/RC:C
-
Cisco IOS contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation by the VTP feature of Cisco IOS. An authenticated, remote attacker could exploit this vulnerability by submitting a malicious VTP summary advertisement to an affected system. This action could result in a buffer overflow, resetting the affected system or allowing the attacker to execute arbitrary code.
Cisco confirmed this vulnerability in a security response and released updated software.
To exploit this vulnerability, the attacker must be able to craft a VTP summary advertisement packet that specifies a domain that matches the domain of the target system. This knowledge may be difficult for an external attacker to determine. Additionally, the attacker must send the packet in such a way that it arrives at the target system on a trunk enabled port. To do this, the attacker must determine an appropriate destination address for a vulnerable target. Depending on local network configuration, reaching the target system on a trunk enabled port may limit the systems from which the attacker can stage an attack.
Because standard suggested practice is to set a VTP domain password, the attacker must also know or guess this password to exploit this vulnerability.
-
Cisco has released a security response to address Cisco bug IDs CSCsd34855 and CSCei54611 at the following link: cisco-sr-20060913-vtp
Vulnerable Products
Cisco IOS devices having VTP Operating Mode as either server or client are vulnerable.
A complete list of affected IOS products is available for registered users at the following links: CSCsd34855 and CSCei54611
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Administrators are advised to apply the appropriate update.
Administrators are advised to set passwords on VTP domains.
Administrators are advised to restrict access to affected devices.
Administrators are advised to monitor affected systems for signs of suspicious activities.
-
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial Release NA Final 2006-Sep-13
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.