Cisco 802.1x Voice VLAN Authentication Bypass Vulnerability

Ok, last night i blogged about VoIP enumeration techniques and well it made me want to find exploits for Cisco products. I was reading at jake report and i must admit the guys at fishnet security do write excellent report. In the report, he mentioned that it is possible to bypass 802.1x port based secuirty by spoofing CDP packets and allow an attacker to gain access to the voice VLAN. Below depicts a short summary:

"Cisco switches are susceptible to an authentication bypass vulnerability, allowing attackers to gain anonymous access to the voice VLAN.

Attackers may spoof CDP packets, and impersonate a Cisco IP phone, in order to anonymously join the voice VLAN. This allows attackers to gain access to network resources without the expected 802.1x authentication sequence. As network administrators expect that switch port access is restricted to only authenticated users, a false sense of security may pervade.

Once attackers gain access to the voice VLAN, they may be able to launch further attacks against servers and other hosts, or eavesdrop on VOIP conversations. Further network attacks are also possible at this point."

I guess the authentication mechanism behind is the Extensible Authentication Protocol. Please go through the whole report because it is so good that it made me read twice. The report talks about the spoofing techniques, attack scenario and mitigation steps. The full report can be found here

As for spoofing CDP packets, you can use a tool call yersinia. This tool has multiple uses and one of those also includes being STP root. The installation for this tool is a pain for me, with the usual ./configure, make, make install. Howver i found a good site which allows you to download the package and install it off using dpkg -i yersinia_0.7.1-0.2_i386.deb. The link to the site is: http://www.enrici.com/debian/yersinia/0.7.1/. Below are pictures of the yersinia tool. You can use it off the GTK mode or Ncurses GUI.