---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco IOS VTP Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21896 VERIFY ADVISORY: http://secunia.com/advisories/21896/ CRITICAL: Moderately critical IMPACT: Manipulation of data, DoS, System access WHERE: >From local network OPERATING SYSTEM: Cisco IOS 10.x http://secunia.com/product/184/ Cisco IOS 11.x http://secunia.com/product/183/ Cisco IOS 12.x http://secunia.com/product/182/ Cisco IOS R11.x http://secunia.com/product/53/ Cisco IOS R12.x http://secunia.com/product/50/ DESCRIPTION: FX has reported some vulnerabilities in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable network device. 1) An error exists in the handling of summary packets in the VLAN Truncing Protocol (VTP). This can be exploited to reset the switch with a Software Forced Crash Exception by sending a specially crafted packet to a trunk enabled port. 2) An integer overflow error exists in the VTP configuration revision handling. This can be exploited to prevent that changes to the VLAN database are properly propagated throughout the VTP domain by sending a specially crafted packet containing 0x7FFFFFFF as a configuration revision number. 3) A boundary error exists in the processing of VTP summary advertisement messages. This can be exploited to cause a heap-based buffer overflow by sending a specially crafted message containing an overly long VLAN name (more than 100 characters) to a trunk enabled port. Successful exploitation may allow arbitrary code execution. NOTE: The packets must be received with a matching domain name and a matching VTP domain password (if configured). The vulnerabilities affect Cisco IOS with a VTP Operating Mode as either "server" or "client". SOLUTION: A fix is reportedly available for vulnerability #1. The vendor also recommends applying a VTP domain password to the VTP domain (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: FX, Phenoelit. ORIGINAL ADVISORY: Phenoelit: http://www.phenoelit.de/stuff/CiscoVTP.txt Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------