{"vuid":"VU#542108","idnumber":"542108","name":"Cisco IOS contains buffer overflow in VTP VLAN name handling","keywords":["Cisco","IOS","heap-based buffer overflow","overly long VLAN name","VTP summary advertisement messages","Type-Length-Value","TLV"],"overview":"Cisco IOS fails to properly handle specially crafted VTP summary advertisement with overly long VLAN name. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition.","clean_desc":"Cisco's VLAN Trunking Protocol (VTP) provides the ability to manage the addition, deletion, and renaming of Virtual Local Area Networks (VLANs) across an entire network. VTP is supported on a number of different Cisco products in both the IOS and CatOS operating systems. Some versions of IOS and CatOS contain a buffer overflow vulnerability in their handling of certain VTP summary advertisements. According to Cisco Systems: If a VTP summary advertisement is received with a Type-Length-Value (TLV) containing a VLAN name greater than 100 characters, the receiving switch will reset with an Unassigned Exception error. The packets must be received on a trunk enabled port, with a matching domain name and a matching VTP domain password (if configured). This vulnerability may be triggered by sending a switch running certain versions of Cisco IOS software a VTP summary advertisement with a VLAN name  greater than 100 bytes. VLAN names in VTP are limited to 255 bytes in length. Note that this vulnerability affects Switches and  Ethernet Switch Modules for Cisco 1800/2600/2800/3600/3700/3800 Series Routers running Cisco IOS software that have VTP Operating Mode as either \"server\" or \"client\". See Cisco Security Response cisco-sr-20060913-vtp for more detailed version information. Switches running CatOS and those configured with VTP operating mode as \"transparent\" are not affected by this vulnerability","impact":"This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition on an affected device.","resolution":"We are unaware of a complete solution to this problem. In the meantime, the following workarounds may help to mitigate this vulnerability.","workarounds":"Apply a VTP domain password See Cisco white paper SAFE Layer 2 Security In-Depth — Version 2 for information about setting a VTP domain password to prevent spoofed VTP summary advertisement messages from advertising an incorrect VLAN name.","sysaffected":"","thanks":"This issue was reported in \nCisco Security Response cisco-sr-20060913-vtp\n. Cisco credits FX of Phenoelit for reporting this issue.","author":"This document was written by Chris Taschner.","public":["http://secunia.com/advisories/21896/","http://www.phenoelit.de/stuff/CiscoVTP.txt","http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml","http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml#wp998892"],"cveids":["CVE-2006-4776"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-09-14T18:32:09Z","publicdate":"2006-09-13T00:00:00Z","datefirstpublished":"2006-09-27T20:39:00Z","dateupdated":"2006-09-27T20:39:10Z","revision":20,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"20","cam_population":"15","cam_impact":"11","cam_easeofexploitation":"14","cam_attackeraccessrequired":"15","cam_scorecurrent":"22.7390625","cam_scorecurrentwidelyknown":"25.9875","cam_scorecurrentwidelyknownexploited":"38.98125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":22.7390625,"vulnote":null}