=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
Title: Voice VLAN Access/Abuse Possible on Cisco voice-enabled,=20 802.1x-secured Interfaces
Vulnerability Discovery: FishNet Security -
Date: 06/08/2005
Severity: Medium - Voice VLAN locally accessible despite = voice-enabled ports=20 being 802.1x-secured
Vendor:
http://www.cisco.com=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
Summary:
Cisco switches that support both 802.1x security and Cisco IP Phones = have the=20 ability to differentiate between access of the voice VLAN by Cisco IP = Phones and=20 access of the data VLAN by devices connected to the auxiliary ports=20 (daisy-chained) of IP Phones. Thus 802.1x port-level security can be = achieved on=20 switch ports connected to Cisco IP Phones which are, in turn, connected = to=20 end-user devices.
----------------------------------------------------------------------= ----
Description of Issue:
In this configuration data VLAN access provided to devices connected = to IP=20 Phone auxiliary ports is authenticated via 802.1x. Unfortunately access = to the=20 voice VLAN cannot be so securely authenticated due to the lack of 802.1x = supplicant software in Cisco IP Phones. It has been found that a = specifically=20 crafted Cisco Discovery Protocol (CDP) message is sent from the Cisco IP = Phone=20 to the switch which opens access to the voice VLAN for frames = originating from=20 that Cisco IP Phone's MAC address. Although 802.1x port-security may be=20 configured on the switch port voice VLAN access is trivially gained by = spoofing=20 a CDP message.
----------------------------------------------------------------------= ----
Risk Mitigation:
There is no *fix* to this issue as of yet. The true resolution would = be to=20 provide 802.1x supplicant software on IP phones such that voice VLAN and = data=20 VLAN access are both 802.1x authenticated. Traditionally, access to the = voice=20 VLAN of a voice-enabled system such as is described above was provided = by a=20 switch to any device without authentication. Cisco has provided the = ability to=20 differentiate between phones and other devices albeit in a such away = that voice=20 VLAN access is still trivially gained. It should be noted that this=20 configuration is still preferred over the old method which uses no=20 authentication for either VLAN. However, it is still important to note = that true=20 port-level authentication is still not being provided. Currently the = best way to=20 mitigate the risk introduced by unauthorized voice VLAN access is to = implement=20 traditional security measures as well as some of the advanced security = features=20 available in Cisco networking equipment. Cisco CallManager 4.x and = certain Cisco=20 IP Phones now support the authentication of phone registration through = the use=20 of certificates. Features like this reduce the risk of unauthorized = voice VLAN=20 access if other necessary controls are also put into place such as the=20 following:
* Disable telnet on phones.
* Always use cryptographically secure management protocols such as = SSH,=20 HTTPS, and SNMPv3 when possible to lower the risk of eavesdropping that = ARP=20 poisoning and DNS manipulation attacks present.
* Disable all administrative access to network infrastructure from = voice VLAN=20 addresses.
* Configure dynamic ARP inspection to lower the risk of ARP poisoning = attacks.
* Configure DHCP snooping to lower the risk of DHCP server spoofing=20 attacks.
* Configure limits on the amount of MAC addresses allowed to be = connected to=20 a switch port. This will lower the risk of port-stealing by overwhelming = the=20 switch CAM table.
* Configure storm control to limit the risk of a DOS attack via = non-unicast=20 traffic.
* Configure proper filtering between voice and data networks to = ensure that=20 even if unauthorized voice VLAN access is achieved the risk presented by = this=20 access is less than the risk posed by unauthorized data VLAN access.
----------------------------------------------------------------------= ----
References:
The =
information transmitted in this e-mail is intended only for the =
addressee and may contain confidential and/or privileged material. =
Any interception, review, retransmission, dissemination, or other =
use of, or taking of any action upon this information by persons or =
entities
other than the intended recipient is prohibited by law and =
may subject them to criminal or civil liability. If you received this =
communication
in error, please contact us immediately at =
816.421.6611, and delete the communication from any computer or network =
system.