Cisco 802.1x Crafted CDP Message Anonymous Voice VLAN Access

2005-06-08T03:36:55
ID OSVDB:17291
Type osvdb
Reporter FishNet Security()
Modified 2005-06-08T03:36:55

Description

Vulnerability Description

Cisco VoIP phones with 802.1x authentication contain a flaw that may allow a malicious user to connect anonymously to the voice VLAN. The issue is triggered when a spoofed Cisco Discovery Protocol packet is sent through the Cisco IP phone to a switch which supports both 802.1x authentication and Cisco VoIP phones. It is possible that the flaw may allow 802.1x authentication to the voice VLAN rather than the data VLAN, resulting in a loss of confidentiality, and/or integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):

For switches with newer versions of CatOS software, DHCP snooping, port security, Dynamic ARP Inspection (DAI) and IP Source Guard may help to limit the scope of data link layer attacks. Cisco recommends that the user read their "Cisco Catalyst Integrated Security-Enabling the Self-Defending Network" whitepaper. Certificate-based authentication and encryption of voice signaling and media are available on newer versions of Cisco CallManager. Cisco also recommends that the user read the product data sheet for Cisco CallManager Version 4.1 for further information.

Short Description

Cisco VoIP phones with 802.1x authentication contain a flaw that may allow a malicious user to connect anonymously to the voice VLAN. The issue is triggered when a spoofed Cisco Discovery Protocol packet is sent through the Cisco IP phone to a switch which supports both 802.1x authentication and Cisco VoIP phones. It is possible that the flaw may allow 802.1x authentication to the voice VLAN rather than the data VLAN, resulting in a loss of confidentiality, and/or integrity.

References:

Vendor Specific Advisory URL Security Tracker: 1014135 Other Advisory URL: http://www.fishnetsecurity.com/csirt/disclosure/cisco/Cisco+802.1x+Advisory.aspx Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0105.html ISS X-Force ID: 20939 CVE-2005-1942