[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Voice VLAN Access/Abuse Possible on Cisco voice-enabled,
From:       csirt () fishnetsecurity ! com
Date:       2005-06-10 14:05:20
Message-ID: 20050610140520.17041.qmail () securityfocus ! com
[Download RAW message or body]

==========================================================================
Title: Voice VLAN Access/Abuse Possible on Cisco voice-enabled, 802.1x-secured \
                Interfaces Vulnerability Discovery: FishNet Security - \
                http://www.fishnetsecurity.com
Date: 06/08/2005
Severity: Medium - Voice VLAN locally accessible despite voice-enabled ports being \
                802.1x-secured
Vendor: http://www.cisco.com
==========================================================================
==========================================================================

Summary:

Cisco switches that support both 802.1x security and Cisco IP Phones have the ability \
to differentiate between access of the voice VLAN by Cisco IP Phones and access of \
the data VLAN by devices connected to the auxiliary ports (daisy-chained) of IP \
Phones. Thus 802.1x port-level security can be achieved on switch ports connected to \
Cisco IP Phones which are, in turn, connected to end-user devices.

--------------------------------------------------------------------------

Description of Issue:

In this configuration data VLAN access provided to devices connected to IP Phone \
auxiliary ports is authenticated via 802.1x. Unfortunately access to the voice VLAN \
cannot be so securely authenticated due to the lack of 802.1x supplicant software in \
Cisco IP Phones. It has been found that a specifically crafted Cisco Discovery \
Protocol (CDP) message is sent from the Cisco IP Phone to the switch which opens \
access to the voice VLAN for frames originating from that Cisco IP Phone's MAC \
address. Although 802.1x port-security may be configured on the switch port voice \
VLAN access is trivially gained by spoofing a CDP message.

--------------------------------------------------------------------------

Risk Mitigation:

There is no *fix* to this issue as of yet. The true resolution would be to provide \
802.1x supplicant software on IP phones such that voice VLAN and data VLAN access are \
both 802.1x authenticated. Traditionally, access to the voice VLAN of a voice-enabled \
system such as is described above was provided by a switch to any device without \
authentication. Cisco has provided the ability to differentiate between phones and \
other devices albeit in a such away that voice VLAN access is still trivially gained. \
It should be noted that this configuration is still preferred over the old method \
which uses no  authentication for either VLAN. However, it is still important to note \
that true port-level authentication is still not being provided. Currently the best \
way to mitigate the risk introduced by unauthorized voice VLAN access is to implement \
traditional security measures as well as some of the advanced security features \
available in Cisco networking equipment. Cisco CallManager 4.x and   certain Cisco IP \
Phones now support the authentication of phone registration through the use of \
certificates. Features like this reduce the risk of unauthorized voice VLAN access if \
other necessary controls are also put into place such as the following: 

* Disable telnet on phones.

* Always use cryptographically secure management protocols such as SSH, HTTPS, and \
SNMPv3 when possible to lower the risk of eavesdropping that ARP poisoning and DNS \
manipulation attacks present.

* Disable all administrative access to network infrastructure from voice VLAN \
addresses.

* Configure dynamic ARP inspection to lower the risk of ARP poisoning attacks.

* Configure DHCP snooping to lower the risk of DHCP server spoofing attacks.

* Configure limits on the amount of MAC addresses allowed to be connected to a switch \
port. This will lower the risk of port-stealing by overwhelming the switch CAM table.

* Configure storm control to limit the risk of a DOS attack via non-unicast traffic.

* Configure proper filtering between voice and data networks to ensure that even if \
unauthorized voice VLAN access is achieved the risk presented by this access is less \
than the risk posed by unauthorized data VLAN access.

--------------------------------------------------------------------------

References:
http://www.fishnetsecurity.com/csirt/disclosure/cisco/
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801b7a50.shtml



[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic