CDPwn vulnerabilities open millions of Cisco enterprise devices to attack
If you have Cisco equipment in your enterprise network – and chances are good that you have – you should check immediately which feature the newly revealed CDPwn vulnerabilities in Cisco’ proprietary device discovery protocol and implement patches as soon as possible.
The CDPwn vulnerabilities
Discovered by Armis researchers and responsibly disclosed to Cisco last year, the five “CDPwn” flaws – CVE-2020-3110, CVE-2020-3111, CVE-2020-3118, CVE-2020-3119 and CVE-2020-3120 – could be exploited to cause denial of service and/or remote code execution.
“Different models of devices that run Cisco FXOS Software, Cisco IP Camera Firmware, Cisco IP Phone Firmware, Cisco NX-OS Software, Cisco IOS-XR, and Cisco UCS Fabric Interconnects are affected by one or more of these vulnerabilities,” a Cisco spokesman told Help Net Security.
Not affected: routers and switches that run Cisco IOS and Cisco IOS-XE Software, and firewalls such as the Cisco ASA, Cisco Firepower 1000 Series, and Cisco Firepower 2100 Series. (Though CVE-2020-3120 affects the Firepower 4100 Series and Firepower 9300 Security Appliances).
All of the flaws affect the Cisco Discovery Protocol – a Layer 2 protocol that runs on Cisco devices and facilitates their management by discovering them, determining how they are configured, and allowing systems using different network-layer protocols to learn about each other.
“A well-known security best practice is to disable Cisco Discovery Protocol on all interfaces that are connected to untrusted networks. Each security advisory provides detailed information on how to determine if Cisco Discovery Protocol is enabled in your device and how to disable it, if applicable,” the Cisco spokesman pointed out.
“For those products that must run CDP for certain functionality, customers are encouraged to follow best practices on network segmentation to avoid untrusted devices from sending CDP packets or ultimately upgrade those devices with the available software fixes.”
Needless to say, fixes should be prioritized over CDP disablement.
Exploitation potential
First things first: Cisco PSIRT is not aware of any malicious use of any of the CDPwn vulnerabilities.
Also: These vulnerabilities cannot be exploited from the Internet or from a different broadcast domain/subnet – the attacker must be in the same broadcast domain or subnet as the affected device (“Layer-2” adjacent) to exploit the flaws. That means that the attacker has to first gain a foothold in the target network.
But, once that’s achieved, he or she can use the CDP vulnerabilities to:
- Break network segmentation
- Exfiltrate that from devices like IP phones and cameras and eavesdrop on voice and video data/calls and video feeds from them
- Steal sensitive corporate data flowing through the corporate network’s switches and routers
- Compromise device communications by leveraging MitM attacks to intercept and alter traffic on the corporate switch
“CDP is a protocol that is based on multicast ethernet packets that are sent throughout the network. An attacker that is connected to an affected switch, for example, can simply send a maliciously crafted CDP packet, which will trigger the vulnerability and can lead to remote code execution. Unfortunately, the discovered RCE vulnerabilities are all easily exploitable, being either stack or heap overflows, with minimal mitigations in place to prevent them turning into functional exploits,” Ben Seri, VP of Research at Armis, told Help Net Security.
As Armis pointed out, 95%+ Fortune 500 companies use Cisco Collaboration solutions, and large numbers of these devices end up in places that attackers find extremely valuable: trading floors, boardrooms, the CEO’s conference room, and so on.
“While enterprises will often use network segmentation as a means to isolate these devices from other parts of the network, CDPwn could be used to break through those boundaries to allow for unauthorized access and compromise,” they added.
More information about the flaws, fixes and mitigations can be found on Armis’s site, Cisco’s advisories and this blog post.