Cisco IOS VTP VLAN Buffer Overflow Vulnerability

ID CISCO-SA-20060913-CVE-2006-4776
Type cisco
Reporter Cisco
Modified 2015-01-31T08:15:00


Cisco IOS contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation by the VTP feature of Cisco IOS. An authenticated, remote attacker could exploit this vulnerability by submitting a malicious VTP summary advertisement to an affected system. This action could result in a buffer overflow, resetting the affected system or allowing the attacker to execute arbitrary code.

Cisco confirmed this vulnerability in a security response and released updated software.

To exploit this vulnerability, the attacker must be able to craft a VTP summary advertisement packet that specifies a domain that matches the domain of the target system. This knowledge may be difficult for an external attacker to determine. Additionally, the attacker must send the packet in such a way that it arrives at the target system on a trunk enabled port. To do this, the attacker must determine an appropriate destination address for a vulnerable target. Depending on local network configuration, reaching the target system on a trunk enabled port may limit the systems from which the attacker can stage an attack.

Because standard suggested practice is to set a VTP domain password, the attacker must also know or guess this password to exploit this vulnerability.