Details of VAR-200609-0178

ID

VAR-200609-0178

CVE

CVE-2006-4774

TITLE

Cisco IOS fails to properly handle summary packets in the VLAN Trunking Protocol

Trust: 1.6

sources: CERT/CC: VU#821420 // CERT/CC: VU#821420

DESCRIPTION

The VLAN Trunking Protocol (VTP) feature in Cisco IOS 12.1(19) allows remote attackers to cause a denial of service by sending a VTP version 1 summary frame with a VTP version field value of 2. This vulnerability may allow a remote, unauthenticated attacker to cause a denial-of-service condition. This vulnerability may allow a remote, unauthenticated attacker to cause a denial-of-service condition. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. (CVE-2006-4774) If exploited by a remote attacker, the device could go into a denial of service. 2) Since there is a flaw that the setting revision number is processed as a negative integer, VLAN There is a problem that changes in configuration information are not properly reflected. (CVE-2006-4775) If exploited by a remote attacker, VLAN Changing the setting information may be hindered. 3) VLAN There is a flaw in checking the length of the name, 100 There is a problem where heap overflow occurs when processing names longer than letters. (CVE-2006-4776) If exploited by a remote attacker, the device could go into a denial of service or potentially execute arbitrary code.Please refer to the “Overview” for the impact of this vulnerability. These issues include two denial-of-service vulnerabilities and a buffer-overflow vulnerability. Attackers require access to trunk ports on affected devices for VTP packets to be accepted. Attackers may reportedly use the Dynamic Trunk Protocol (DTP) to become a trunking peer to gain required access. By exploiting these issues, attackers may crash affected routers, cause further VTP packets to be ignored, or potentially execute arbitrary machine code in the context of affected devices. Cisco IOS 12.1(19) is vulnerable to these issues; other versions are also likely affected. 2 VTP Modified Version Integer Wrapping If an attacker can send VTP updates (digest and sub) to a Cisco IOS or CatOS device, he can choose the modified version number of the VTP message himself. IOS will accept the version number 0x7FFFFFFF. Therefore, this revision number is treated as a large negative value. From this point on the switch cannot communicate with the changed VLAN configuration, as all other switches will reject the generated update, 3 VLAN name heap overflow If an attacker is able to send VTP updates to the Cisco IOS device, type 2 frames contain record of. One field of the VTP record contains the name of the VLAN, and the other field is the length of the name. If the updated VLAN name is larger than 100 bytes and the VLAN name length field is correct, it will cause a heap overflow and execute arbitrary code on the receiving switch. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco IOS VTP Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21896 VERIFY ADVISORY: http://secunia.com/advisories/21896/ CRITICAL: Moderately critical IMPACT: Manipulation of data, DoS, System access WHERE: >From local network OPERATING SYSTEM: Cisco IOS 10.x http://secunia.com/product/184/ Cisco IOS 11.x http://secunia.com/product/183/ Cisco IOS 12.x http://secunia.com/product/182/ Cisco IOS R11.x http://secunia.com/product/53/ Cisco IOS R12.x http://secunia.com/product/50/ DESCRIPTION: FX has reported some vulnerabilities in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable network device. This can be exploited to reset the switch with a Software Forced Crash Exception by sending a specially crafted packet to a trunk enabled port. 2) An integer overflow error exists in the VTP configuration revision handling. 3) A boundary error exists in the processing of VTP summary advertisement messages. This can be exploited to cause a heap-based buffer overflow by sending a specially crafted message containing an overly long VLAN name (more than 100 characters) to a trunk enabled port. NOTE: The packets must be received with a matching domain name and a matching VTP domain password (if configured). SOLUTION: A fix is reportedly available for vulnerability #1. The vendor also recommends applying a VTP domain password to the VTP domain (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: FX, Phenoelit. ORIGINAL ADVISORY: Phenoelit: http://www.phenoelit.de/stuff/CiscoVTP.txt Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 5.04

sources: NVD: CVE-2006-4774 // CERT/CC: VU#821420 // CERT/CC: VU#821420 // CERT/CC: VU#542108 // CERT/CC: VU#175148 // JVNDB: JVNDB-2006-000551 // BID: 19998 // VULHUB: VHN-20882 // PACKETSTORM: 50047 // PACKETSTORM: 50048

AFFECTED PRODUCTS

vendor:	cisco	model:	-	scope:	-	version:	-	Trust: 3.2
vendor:	cisco	model:	ios	scope:	eq	version:	12.1\(19\)	Trust: 1.6
vendor:	cisco	model:	ios	scope:	eq	version:	12.1	Trust: 0.8
vendor:	cisco	model:	ios	scope:	eq	version:	12.1(19)	Trust: 0.3
vendor:	cisco	model:	ios	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	catos	scope:	-	version:	-	Trust: 0.3

sources: CERT/CC: VU#821420 // CERT/CC: VU#821420 // CERT/CC: VU#542108 // CERT/CC: VU#175148 // BID: 19998 // JVNDB: JVNDB-2006-000551 // CNNVD: CNNVD-200609-225 // NVD: CVE-2006-4774

CVSS

SEVERITY

CVSSV2

CVSSV3

CARNEGIE MELLON:	VU#821420
value:	12.40
Trust: 1.6
nvd@nist.gov:	CVE-2006-4774
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#542108
value:	22.74
Trust: 0.8
CARNEGIE MELLON:	VU#175148
value:	3.37
Trust: 0.8
NVD:	CVE-2006-4774
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200609-225
value:	HIGH
Trust: 0.6
VULHUB:	VHN-20882
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2006-4774
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-20882
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#821420 // CERT/CC: VU#821420 // CERT/CC: VU#542108 // CERT/CC: VU#175148 // VULHUB: VHN-20882 // JVNDB: JVNDB-2006-000551 // CNNVD: CNNVD-200609-225 // NVD: CVE-2006-4774

PROBLEMTYPE DATA

problemtype:

CWE-399

Trust: 1.1

sources: VULHUB: VHN-20882 // NVD: CVE-2006-4774

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200609-225

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-200609-225

CONFIGURATIONS

sources: JVNDB: JVNDB-2006-000551

PATCH

title:

cisco-sr-20060913-vtp

url:

http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

Trust: 0.8

sources: JVNDB: JVNDB-2006-000551

EXTERNAL IDS

db:	SECUNIA	id:	21896	Trust: 5.0
db:	NVD	id:	CVE-2006-4774	Trust: 4.1
db:	CERT/CC	id:	VU#821420	Trust: 4.1
db:	BID	id:	19998	Trust: 2.8
db:	VUPEN	id:	ADV-2006-3600	Trust: 1.7
db:	OSVDB	id:	28775	Trust: 1.7
db:	SECTRACK	id:	1016843	Trust: 1.7
db:	CERT/CC	id:	VU#542108	Trust: 1.6
db:	CERT/CC	id:	VU#175148	Trust: 1.6
db:	SECUNIA	id:	21902	Trust: 0.9
db:	JVNDB	id:	JVNDB-2006-000551	Trust: 0.8
db:	CNNVD	id:	CNNVD-200609-225	Trust: 0.7
db:	BUGTRAQ	id:	20060913 RE: CISCO IOS VTP ISSUES	Trust: 0.6
db:	BUGTRAQ	id:	20060913 CISCO IOS VTP ISSUES	Trust: 0.6
db:	CISCO	id:	20060913 CISCO VLAN TRUNKING PROTOCOL VULNERABILITIES	Trust: 0.6
db:	XF	id:	28924	Trust: 0.6
db:	VULHUB	id:	VHN-20882	Trust: 0.1
db:	PACKETSTORM	id:	50047	Trust: 0.1
db:	PACKETSTORM	id:	50048	Trust: 0.1

sources: CERT/CC: VU#821420 // CERT/CC: VU#821420 // CERT/CC: VU#542108 // CERT/CC: VU#175148 // VULHUB: VHN-20882 // BID: 19998 // JVNDB: JVNDB-2006-000551 // PACKETSTORM: 50047 // PACKETSTORM: 50048 // CNNVD: CNNVD-200609-225 // NVD: CVE-2006-4774

REFERENCES

url:	http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml	Trust: 5.4
url:	http://secunia.com/advisories/21896/	Trust: 3.4
url:	http://www.phenoelit.de/stuff/ciscovtp.txt	Trust: 3.2
url:	http://www.securityfocus.com/bid/19998	Trust: 2.5
url:	http://www.kb.cert.org/vuls/id/821420	Trust: 2.5
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-4774	Trust: 2.4
url:	http://www.phenoelit.de/stuff/ciscovtp.txt	Trust: 1.8
url:	http://www.osvdb.org/28775	Trust: 1.7
url:	http://securitytracker.com/id?1016843	Trust: 1.7
url:	http://secunia.com/advisories/21896	Trust: 1.7
url:	http://www.cisco.com/en/us/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml#wp998892	Trust: 1.6
url:	http://www.frsirt.com/english/advisories/2006/3600	Trust: 1.4
url:	http://www.securityfocus.com/archive/1/445896/100/0/threaded	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/445938/100/0/threaded	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2006/3600	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/28924	Trust: 1.1
url:	http://secunia.com/advisories/21902/	Trust: 0.9
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2006-4774	Trust: 0.8
url:	http://www.kb.cert.org/vuls/id/542108	Trust: 0.8
url:	http://www.kb.cert.org/vuls/id/175148	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/445938/100/0/threaded	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/445896/100/0/threaded	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/28924	Trust: 0.6
url:	http://www.cisco.com/public/sw-center/sw-ios.shtml	Trust: 0.3
url:	/archive/1/445896	Trust: 0.3
url:	/archive/1/445938	Trust: 0.3
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.2
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.2
url:	http://secunia.com/quality_assurance_analyst/	Trust: 0.2
url:	http://secunia.com/hardcore_disassembler_and_reverse_engineer/	Trust: 0.2
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.2
url:	http://secunia.com/web_application_security_specialist/	Trust: 0.2
url:	http://secunia.com/product/50/	Trust: 0.1
url:	http://secunia.com/product/184/	Trust: 0.1
url:	http://secunia.com/product/53/	Trust: 0.1
url:	http://secunia.com/product/182/	Trust: 0.1
url:	http://secunia.com/product/183/	Trust: 0.1
url:	http://secunia.com/product/527/	Trust: 0.1
url:	http://secunia.com/product/3564/	Trust: 0.1
url:	http://secunia.com/product/185/	Trust: 0.1
url:	http://secunia.com/product/526/	Trust: 0.1

CREDITS

FX fx@phenoelit.de

Trust: 0.6

sources: CNNVD: CNNVD-200609-225

SOURCES

db:	CERT/CC	id:	VU#821420
db:	CERT/CC	id:	VU#821420
db:	CERT/CC	id:	VU#542108
db:	CERT/CC	id:	VU#175148
db:	VULHUB	id:	VHN-20882
db:	BID	id:	19998
db:	JVNDB	id:	JVNDB-2006-000551
db:	PACKETSTORM	id:	50047
db:	PACKETSTORM	id:	50048
db:	CNNVD	id:	CNNVD-200609-225
db:	NVD	id:	CVE-2006-4774

LAST UPDATE DATE

2024-08-14T13:50:41.799000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#821420	date:	2006-09-28T00:00:00
db:	CERT/CC	id:	VU#821420	date:	2006-09-28T00:00:00
db:	CERT/CC	id:	VU#542108	date:	2006-09-27T00:00:00
db:	CERT/CC	id:	VU#175148	date:	2006-09-27T00:00:00
db:	VULHUB	id:	VHN-20882	date:	2018-10-17T00:00:00
db:	BID	id:	19998	date:	2006-09-14T18:47:00
db:	JVNDB	id:	JVNDB-2006-000551	date:	2007-04-01T00:00:00
db:	CNNVD	id:	CNNVD-200609-225	date:	2006-09-18T00:00:00
db:	NVD	id:	CVE-2006-4774	date:	2018-10-17T21:39:30.090

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#821420	date:	2006-09-28T00:00:00
db:	CERT/CC	id:	VU#821420	date:	2006-09-28T00:00:00
db:	CERT/CC	id:	VU#542108	date:	2006-09-27T00:00:00
db:	CERT/CC	id:	VU#175148	date:	2006-09-27T00:00:00
db:	VULHUB	id:	VHN-20882	date:	2006-09-14T00:00:00
db:	BID	id:	19998	date:	2006-09-13T00:00:00
db:	JVNDB	id:	JVNDB-2006-000551	date:	2007-04-01T00:00:00
db:	PACKETSTORM	id:	50047	date:	2006-09-14T22:28:53
db:	PACKETSTORM	id:	50048	date:	2006-09-14T22:28:53
db:	CNNVD	id:	CNNVD-200609-225	date:	2006-09-13T00:00:00
db:	NVD	id:	CVE-2006-4774	date:	2006-09-14T00:07:00