| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Jun 8 23:37:17 2005 From: Ed.Welsh at fishnetsecurity.com (Welsh, Ed) Subject: Voice VLAN Access/Abuse ========================================================================== Title: Voice VLAN Access/Abuse Possible on Cisco voice-enabled, 802.1x-secured Interfaces Vulnerability Discovery: FishNet Security - http://www.fishnetsecurity.com <http://www.fishnetsecurity.com/> Date: 06/08/2005 Severity: Medium - Voice VLAN locally accessible despite voice-enabled ports being 802.1x-secured Vendor: http://www.cisco.com <http://www.cisco.com/> ========================================================================== ========================================================================== Summary: Cisco switches that support both 802.1x security and Cisco IP Phones have the ability to differentiate between access of the voice VLAN by Cisco IP Phones and access of the data VLAN by devices connected to the auxiliary ports (daisy-chained) of IP Phones. Thus 802.1x port-level security can be achieved on switch ports connected to Cisco IP Phones which are, in turn, connected to end-user devices. -------------------------------------------------------------------------- Description of Issue: In this configuration data VLAN access provided to devices connected to IP Phone auxiliary ports is authenticated via 802.1x. Unfortunately access to the voice VLAN cannot be so securely authenticated due to the lack of 802.1x supplicant software in Cisco IP Phones. It has been found that a specifically crafted Cisco Discovery Protocol (CDP) message is sent from the Cisco IP Phone to the switch which opens access to the voice VLAN for frames originating from that Cisco IP Phone's MAC address. Although 802.1x port-security may be configured on the switch port voice VLAN access is trivially gained by spoofing a CDP message. -------------------------------------------------------------------------- Risk Mitigation: There is no *fix* to this issue as of yet. The true resolution would be to provide 802.1x supplicant software on IP phones such that voice VLAN and data VLAN access are both 802.1x authenticated. Traditionally, access to the voice VLAN of a voice-enabled system such as is described above was provided by a switch to any device without authentication. Cisco has provided the ability to differentiate between phones and other devices albeit in a such away that voice VLAN access is still trivially gained. It should be noted that this configuration is still preferred over the old method which uses no authentication for either VLAN. However, it is still important to note that true port-level authentication is still not being provided. Currently the best way to mitigate the risk introduced by unauthorized voice VLAN access is to implement traditional security measures as well as some of the advanced security features available in Cisco networking equipment. Cisco CallManager 4.x and certain Cisco IP Phones now support the authentication of phone registration through the use of certificates. Features like this reduce the risk of unauthorized voice VLAN access if other necessary controls are also put into place such as the following: * Disable telnet on phones. * Always use cryptographically secure management protocols such as SSH, HTTPS, and SNMPv3 when possible to lower the risk of eavesdropping that ARP poisoning and DNS manipulation attacks present. * Disable all administrative access to network infrastructure from voice VLAN addresses. * Configure dynamic ARP inspection to lower the risk of ARP poisoning attacks. * Configure DHCP snooping to lower the risk of DHCP server spoofing attacks. * Configure limits on the amount of MAC addresses allowed to be connected to a switch port. This will lower the risk of port-stealing by overwhelming the switch CAM table. * Configure storm control to limit the risk of a DOS attack via non-unicast traffic. * Configure proper filtering between voice and data networks to ensure that even if unauthorized voice VLAN access is achieved the risk presented by this access is less than the risk posed by unauthorized data VLAN access. -------------------------------------------------------------------------- References: http://www.fishnetsecurity.com/csirt/disclosure/cisco/ <http://www.fishnetsecurity.com/csirt/disclosure/cisco/> <http://www.fishnetsecurity.com/advisory_link> http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801b 7a50.shtml <http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801 b7a50.shtml> The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050608/fdf71fde/attachment.html
Powered by blists - more mailing lists