[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Voice VLAN Access/Abuse

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Voice VLAN Access/Abuse
From: "Welsh, Ed" <Ed.Welsh@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 8 Jun 2005 13:31:22 -0500

==========================================================================

Title: Voice VLAN Access/Abuse Possible on Cisco voice-enabled, 802.1x-secured 
Interfaces 

Vulnerability Discovery: FishNet Security - http://www.fishnetsecurity.com
<http://www.fishnetsecurity.com/> 

Date: 06/08/2005

Severity: Medium - Voice VLAN locally accessible despite voice-enabled ports 
being 802.1x-secured

Vendor: http://www.cisco.com <http://www.cisco.com/> 

==========================================================================

==========================================================================

Summary:

Cisco switches that support both 802.1x security and Cisco IP Phones have the 
ability to differentiate
between access of the voice VLAN by Cisco IP Phones and access of the data VLAN 
by devices connected
to the auxiliary ports (daisy-chained) of IP Phones. Thus 802.1x port-level 
security can be achieved
on switch ports connected to Cisco IP Phones which are, in turn, connected to 
end-user devices.

--------------------------------------------------------------------------

Description of Issue:

In this configuration data VLAN access provided to devices connected to IP 
Phone auxiliary ports is
authenticated via 802.1x. Unfortunately access to the voice VLAN cannot be so 
securely authenticated
due to the lack of 802.1x supplicant software in Cisco IP Phones. It has been 
found that a
specifically crafted Cisco Discovery Protocol (CDP) message is sent from the 
Cisco IP Phone to the
switch which opens access to the voice VLAN for frames originating from that 
Cisco IP Phone's MAC
address. Although 802.1x port-security may be configured on the switch port 
voice VLAN access is
trivially gained by spoofing a CDP message.

--------------------------------------------------------------------------

Risk Mitigation:

There is no *fix* to this issue as of yet. The true resolution would be to 
provide 802.1x supplicant
software on IP phones such that voice VLAN and data VLAN access are both 802.1x 
authenticated.
Traditionally, access to the voice VLAN of a voice-enabled system such as is 
described above was
provided by a switch to any device without authentication. Cisco has provided 
the ability to
differentiate between phones and other devices albeit in a such away that voice 
VLAN access is still
trivially gained. It should be noted that this configuration is still preferred 
over the old method
which uses no authentication for either VLAN. However, it is still important to 
note that true
port-level authentication is still not being provided. Currently the best way 
to mitigate the risk
introduced by unauthorized voice VLAN access is to implement traditional 
security measures as well as
some of the advanced security features available in Cisco networking equipment. 
Cisco CallManager 4.x
and certain Cisco IP Phones now support the authentication of phone 
registration through the use of
certificates. Features like this reduce the risk of unauthorized voice VLAN 
access if other necessary
controls are also put into place such as the following: 

* Disable telnet on phones.

* Always use cryptographically secure management protocols such as SSH, HTTPS, 
and SNMPv3 when
possible to lower the risk of eavesdropping that ARP poisoning and DNS 
manipulation attacks present.

* Disable all administrative access to network infrastructure from voice VLAN 
addresses.

* Configure dynamic ARP inspection to lower the risk of ARP poisoning attacks.

* Configure DHCP snooping to lower the risk of DHCP server spoofing attacks.

* Configure limits on the amount of MAC addresses allowed to be connected to a 
switch port. This will
lower the risk of port-stealing by overwhelming the switch CAM table.

* Configure storm control to limit the risk of a DOS attack via non-unicast 
traffic.

* Configure proper filtering between voice and data networks to ensure that 
even if unauthorized voice
VLAN access is achieved the risk presented by this access is less than the risk 
posed by unauthorized
data VLAN access.

--------------------------------------------------------------------------

References:

http://www.fishnetsecurity.com/csirt/disclosure/cisco/
<http://www.fishnetsecurity.com/csirt/disclosure/cisco/> 

<http://www.fishnetsecurity.com/advisory_link> 

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801b
7a50.shtml
<http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801
b7a50.shtml> 



The information transmitted in this e-mail is intended only for the addressee 
and may contain confidential and/or privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or 
taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to 
criminal or civil liability. If you received this communication 
in error, please contact us immediately at 816.421.6611, and delete the 
communication from any computer or network system.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: RE: [Full-disclosure] Microsoft Windows and *nix Telnet Port NumberArgument Obfuscation
Next by Date: Re: Re: [Full-disclosure] IpSwitch IMAP Server LOGON stack overflow
Previous by thread: Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port Number Argument Obfuscation
Next by thread: [Full-disclosure] [ Suresec Advisories ] - Mac OS X 10.4 - launchd local root vulnerability
Index(es):
- Date
- Thread