Cisco CDPwn vulnerabilities threaten tens of millions of enterprise devices

Security researchers recently disclosed details of five vulnerabilities in the widely adopted Cisco Discovery Protocol (CDP). The vulnerabilities discovered by IoT cybersecurity company Armis are collectively referred to as CDPwn.

CDP is a proprietary Cisco protocol that allows Cisco devices to share information through multicast messages. The CDP protocol is deployed in most Cisco products and has been in use since the mid-1990s.

Armis said in a report released that the CDP protocol is affected by five vulnerabilities, four of which are remote code execution issues that attackers can use to take over Cisco devices running the CDP protocol. The fifth is a denial of service (DoS), which can cause the device to crash.

The good news is that the attack cannot be carried out over the Internet. As mentioned above, the CDP protocol only works inside the local network at the data link layer and is not exposed to the WAN interface of the device.

To exploit these vulnerabilities, an attacker first needs to gain a foothold in the LAN. The entry point can be anything, such as IoT devices. Hackers can use this portal device to broadcast malformed CDP messages in the local network and take over Cisco devices.

The main targets of the attack were Cisco routers, switches, and firewalls. These devices held keys for the entire corporate network, and CDP was enabled by default.

In simple terms, although an attacker cannot directly use the CDPwn vulnerability to remotely exploit the CDPwn vulnerability through the Internet remote exploitation, it can be combined with other attack methods to upgrade initial access, take over key points such as routers and switches to close network segments, and then move the attack horizontally to other devices within the corporate network.

Since CDP is built into and enabled by default in other Cisco products, such as VoIP phones and IP cameras, CDPwn attacks can also target these devices.

Attackers can use CDPwn to take over vulnerable devices such as phones and security cameras, install malware, leak data, and even eavesdrop on phone and video sources.

According to Armis, CDPwn affects all Cisco routers running the IOS XR operating system, all Nexus switches, Cisco Firepower firewalls, Cisco NCS systems, all Cisco 8000 IP cameras, and all Cisco 7800 and 8800 VOIP phones.

Armis contacted Cisco several months ago for its vulnerability discovery. Cisco also responded quickly and developed patches for all CDPwn vulnerabilities. The exact list of CDPwn vulnerabilities is:

• Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability, (CVE-2020-3120)
• Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability, (CVE-2020-3119)
• Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability, (CVE-2020-3118)
• Cisco IP Phone Remote Code Execution and Denial of Service Vulnerability, (CVE-2020-3111)
• Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability, (CVE-2020-3110)