Critical Cisco ‘CDPwn’ Protocol Flaws Explained: Podcast

cisco high severity flaw iOS XE

The researcher behind the five critical Cisco flaws, collectively called CDPwn, talks about why Layer 2 protocols are under-researched when it comes to security vulnerabilities.

Researchers on Wednesday disclosed five critical vulnerabilities in Cisco Discovery Protocol (CDP), the Cisco Proprietary Layer 2 network protocol that is used to discover information about locally attached Cisco equipment.

Researchers say that the vulnerabilities, which they collectively call CDPwn, can allow attackers to remotely take over millions of devices. The flaws specifically exist in the parsing of CDP packets, in the protocol implementation for various Cisco products, from its software to IP cameras. Cisco issued patches on Wednesday addressing the five flaws, and is urging users to update as soon as possible.

Threatpost talked to Ben Seri, VP of Research at Armis, who discovered the flaws, about the CDPwn flaws, their impact, and why Layer 2 protocols are an under-researched area.

Listen to the full podcast below, or download direct here.

Below is a lightly-edited transcript of the podcast.

Lindsey O’Donnell-Welch: Hi, everyone, welcome back to the Threatpost podcast. You’ve got Lindsey O’Donnell-Welch with Threatpost here. And I’m joined today by Ben Seri, the VP of research at Armis, to discuss some newly disclosed vulnerabilities that have been found in Cisco equipment. So Ben, thank you so much for joining.

Ben Seri: Thank you.

LO: So Armis discovered five vulnerabilities that were disclosed today. And those are stemming from the Cisco Discovery Protocol, aka CDP, which is the info sharing layer that maps all Cisco equipment on a network. And you guys collectively called these flaws CDPwn. So just to start, tell us some more deep in depth about what is the Cisco Discovery Protocol, just for some context here.

BS: Sure. Yes, so Cisco makes network appliances. And so from time to time, they invent these protocols that are then used by every product that they produce. And CDP is one of these protocols. It’s a Discovery Protocol, as you mentioned, it’s simply a way for Cisco devices to find one another in a network. It’s a protocol that works simply with multicast [frames], or what is called broadcast, packets that are sent in the clear, inside the network. And every device, Cisco device, sends packets from time to time saying, ‘Hi, my IP address is this, My name is this, my operating system is this’ and all kinds of information and they collect the Cisco devices’ information about one another, about their neighbors. And then when you have all kinds of Cisco management products, you’re able to view all the Cisco devices in your network. So it’s mainly about convenience. There are not many functional features other than convenience related that use CDP. But it’s nevertheless enabled by default on all of Cisco products, in some of their products you can’t actually turn it off. It’s something that just remains on all the time. And  like any protocol it introduces an attack surface that might contain vulnerabilities, like the ones that we found in this occasion.

LO: Right. And that’s really interesting that this can’t be turned off as a function in certain devices. And I know that in your research, you mentioned this is something that’s implemented in virtually all Cisco products from switches to routers to IP phones and IP cameras. So can you speak a little bit about the threat attack surface here and the level of devices that could be impacted by this?

BS: Yeah so CDP, one of its interesting aspects is that it’s a layer 2 protocol. It’s something that is just very low in the stack, very basic in how the network, the packets are built from this protocol, and it’s actually a layer where researchers don’t look at too much. Most of the vulnerabilities are either in application layer, in rare cases they are the transportation layer, transport layer; and then, what is called the data link layer, or the layer 2, is where you have dozens of protocols, used by network appliances, switches and routers. And these are kind of an attack surface that is not enough researched.

Cisco Discovery Protocol is one of these and the vulnerabilities themselves are critical. When we found them, they were not known to Cisco or any other individual as far as we know. And we’ve worked with Cisco on the patch mitigation process. And so when we are announcing this today, customers of Cisco are advised to go ahead and install the patches as quickly as possible.

And so you asked about the wide array of devices impacted by this and that’s true; you find this in the Cisco switches and routers; IP phones from Cisco; and these are devices that have a complete hold on the market in these fields. When you look at IP phones, for example, Cisco advertises that over 95 percent of Fortune 500 companies use Cisco communication solutions. So that these are the Cisco IP phones, for example, and you would find them in government offices and you’d find them in the White House, and in the Situation Room, but also throughout corporate and trade floors and whatever.  They’re really prevalent devices.

That’s the IP phone but Cisco network equipment, the switches and the routers, are very, very popular as well and the impact is severe in terms of what kind of attacks attackers can actually pull off using these vulnerabilities.

LO: And I want to talk about that in a second. But I just wanted to ask you real quick, you mentioned before that CDP, there hasn’t been a whole lot of research around it. I wanted to ask, you how you first came across these vulnerabilities and what caused you to look further into CDP as a potential threat surface for vulnerabilities. Because as you said, it usually is kind of the application layers and some other areas that vulnerabilities are discovered in, so how did you first come across these flaws?

BS: Yeah so actually, what piqued our interest for looking into this was a Cisco security advisory published around two years ago, that detailed some vulnerabilities that they found in LDP, which is another Discovery Protocol – not CDP protocol – but another Discovery Protocol, pretty similar to CDP. And this advisory mentioned that Cisco found some bugs that could lead to denial of service in a wider array of devices. And although this wasn’t what is called RCE vulnerability, or remote code execution, what they discovered was some sort of buffer overflow. And we felt that if they internally found something that actually parses these packets, the LDP packets, in a way that can lead to vulnerabilities, then we might find similar stuff that can lead to critical vulnerabilities.

And really the reason that we looked at it, other than this initial lead we had through Cisco’s advisory, was the understanding that an attacker that has a vulnerability in these types of protocols has the ability to break network segmentation. Part of what we do is to try understand the havoc that IoT devices might have on networks. And network segmentation is actually a very basic design tool for networks to prevent certain devices, such as IoT devices, from crossing the bounds over from the IoT segment into corporate segments. And in CDP and LDP, and these discovery protocols, layer 2 protocols, they’re actually parsed by the network of clients, regardless of the segment, regardless of if the device connected to it is an IoT segment, or in the corporate segment. So yeah, the understanding here was “okay, this is interesting,” Cisco found something in LDP, this would mean an IoT device could attack the switch even if it’s segmented, then having access to this switch, it can move over to other segments. So that was our motivation to try and understand if this attack surface might contain vulnerabilities, like the ones eventually that we found.

LO: Right. And that was for me a huge highlight from the research was that because the network infrastructure itself was at risk and exploitable that network segmentation, which is usually a big security strategy is at risk now. So I thought that was a big implication here.

I wanted to focus in on the five vulnerabilities that are kind of at the heart of this and there were four remote code execution flaws and then one denial of service flaw. So can you talk a little bit more about these vulnerabilities and what an attacker would need to exploit them, how difficult they are to exploit and if there is one vulnerability that’s particularly severe or easier than the others to exploit.

BS: So unfortunately, the vulnerabilities themselves are not that complicated. There are standard buffer overflows that you would find, bugs you will find from time to time, and exploiting them takes some effort, but actually, it’s not that difficult. There are some mitigations in these devices to make it harder for attackers to actually exploit the vulnerabilities but they are not that difficult to bypass. So there are the four RCEs, the denial of service one is also something with a few CDP packets maliciously crafted, an attacker can take down switches and routers, and completely stop their functionality. And the RCE ones are just a matter of sending a couple of packets to the affected devices in order to gain code execution on your devices.

I would say that the most severe of these four is the one that affects IP phones, they have an additional bug other than the memory corruption part. They parse broadcast CDP packets and unicast CDP packets as if they were regular standard CDP packets, which are normally very specific multicast packets. And that means for attackers that you don’t need to find the IP phone that you want to target inside the network, you can simply send a broadcast packet, that will go out to the entire network. And the IP phones that are affected by this will parse these packets that will otherwise be regarded as invalid packets. They would parse them nonetheless and the vulnerability will be triggered on them almost simultaneously throughout the networks. The attacker can sent one broadcast packet, it will either cause denial of service or code execution, depending on the exploit. And then you will have an army of IP phones into the network that you can either eavesdrop on the calls, carry out additional attacks from, steal sensitive data.

IP phones are really the most enterprise grade type of IoT device that you would have a network, Cisco is an enterprise-oriented company. But nevertheless, they might be vulnerable. And they do contain confidential data and they might also be used as a way to  have a hold inside the network, to carry out further attacks from them. And the most interesting part is that they are really, really prevalent.

LO: And just to clarify for our listeners, that vulnerability is, I believe it was tied to CVE-2020-3111. So that’s the one that specifically impacts the Cisco IP phones and is a RCE and denial of service flaw, but I could definitely see that one being severe. So can you walk us through the potential impact of these vulnerabilities if exploited? I know there’s kind of a lot to unwind there you talked earlier about the issues that it could cause a network segmentation, but then also, there were issues around data exfiltration attacks and some other attacks. So can you walk us through that?

BS: Yeah, so the first point for an attacker to take advantage of the vulnerability is to have some foothold inside the network. So it’s not an attack that necessarily is coming from the internet. The attacker needs to have some access, but if you have some very low grade IoT device sitting inside the network, part of your threat model already is that these devices might be compromised. But really what protects today what is used to protect you from these devices running havoc on your network is network segmentation. So the the threat is that once the compromised IoT device tries to exploit CDPwn, it can target the switch that it is connected to, and then the switch from there all kinds of attacks can be carried on. It’s a very good position for an attacker to be on. It allows him to capture traffic that traverses through the switch. If it’s plaintext traffic that might include confidential data, anything that’s of value for the attacker. It’s also a point where an attacker can carry out man-in-the-middle attacks if the device inside the network is going out to the internet to a specific service, or internally through the service inside the network. The attacker can change the traffic that traverses through the switch in a way that the man-in-the-middle attack might be beneficial for him, it can be used to send send malware inside specific JavaScript code that is rendered in the browser or anything of that sort. There are a multitude of attacks that are very efficient once you have a man-in-the-middle position inside the network.

But then, you can also move laterally, the segmentation that previously limited these attacks only to the IoT segment, now are no longer in place. Inside the switch, you can go to any segments that you’d like. Or it can completely put all the devices in one segment and they can now also talk to one another, although originally they were on separate segments. Last, there is also the impact to IP phones and IP cameras. And like I mentioned the for example, on the IP phones, they are vulnerable to the broadcast attack as well, so from the switch, you can also send the broadcast CDP packet that will trigger that the vulnerabilities on the  IP phones and that would be the next step getting access to these corporate assets that might contain confidential data. And all from a very strong position inside the network, the core space, or any other switch inside the network that is not regularly examined, you don’t expect these types of devices to be compromised. And for that reason, they’re not monitored and not tracked as much as your corporate assets.

LO: Right. And I mean, speaking of corporate assets, you know, like you mentioned before, many times, you know, a lot of these devices are used primarily by enterprises. And that kind of heightens these types of attacks and their severity, like man-in-the-middle, like data exfiltration, and kind of what that means for enterprise organizations that might be open to these types of threats. What can enterprise organizations do to secure against this type of attack?

BS: Monitoring these types of devices, treating them as endpoints that might be compromised as well, not only the Windows devices and the mobile devices We are aware of that consumer grade IoT, whether it’s an Amazon Echo, or if some tablet of sort or anything of that nature, we see these devices as IoT, and we have learned that these might be compromised. And there is a growing consensus that securing these types of devices is needed. But when you try to define IoT, it really has no bounds; any device, any embedded device that does not have an end security agent on it, in some ways, it’s an IoT device. So for every organization, it looks like a benign device, the pipeline of the network, something of that sort, it can also be vulnerable, attackers can attack it as well. And having attacked it they can use it as a foothold inside the network
to carry out additional attacks.

So, in the VoIP phones and enterprise grade IP cameras from Cisco, these are also at the end of the day computers that parse packets might be vulnerable to attacks and can be used for further attacks. I think the solution is always to find a product that monitors all types of these unmanaged devices in a way that can detect if something wrong has occurred, if something out of normal behavior has occurred. But also obviously, whenever a vulnerability is published, quickly patch, that’s the best way to stay secure.

LO: Right. And I know you spoke a little bit about IoT security. And it seems like that is also kind of a big part of this research and how IoT security issues and connected device issues, the impact that they can have on corporate networks. Because when you think about it, a lot of businesses have all kinds of devices that have popped up over the years that are connected, that they don’t even necessarily think of, like surveillance cameras, etc, etc. So that’s that’s a really good point as well. And I finally I wanted to ask you about the process of disclosure with Cisco and the patches that have been deployed at this point, what was the process of disclosure in terms of the time frame and the patches that are available now?

BS: It was rather a long process. But part of that was how this disclosure went about. So at the end of August, we first disclosed the vulnerabilities; at the time we found them on the Nexus switches and IRS6R routers. And Cisco was very good to work with and they developed patches quickly. But then, during the disclosure, we actually found that the similar vulnerabilities exist in IP phones and cameras. And for that reason that the disclosure process went a bit longer, way over 100 days. And yes, patches have been deployed by Cisco, some of the upgrades to these devices have already been put out by Cisco. But today, they are also having their security advisories that mention what versions are patched and the different patches, the affected devices are being released today as well.

LO: Is there any other takeaways from your research into CDPwn, or the vulnerabilities or implications here that you want to mention from your perspective, Ben?

BS: Um, yeah, I think that when we look at network, when we look at all of the variety of devices that we have, any of the devices that are unmanaged, we need to look at them in the same way, they’re not different. All of them are computers that might open to attack. That’s one hand and the other end of it is the attack surface. There are just endless types of layer 2 protocols and CDP is one of them. But there is actually a very large attack surface there that has been neglected. But I think the research community needs to do more in looking at these protocols. And network segmentation, at the end of the day, is a strong solution for IoT, and other security problems are solved by it, but we need to make sure that it really stands strong against all kinds of attacks. CDPwn is just one of them. So looking at these protocols, understanding whether they present a risk to network appliances, is essential for that process to be as strong as it can be.

LO: Absolutely. Well, Ben, thank you so much for coming onto the Threatpost podcast today to talk about these newly disclosed vulnerabilities in Cisco equipment.

BS: Thank you for having me.

LO: And once again, this is Lindsay O’Donnell-Welch with Threatpost here talking today with Ben Seri, VP of research at Armis. Catch us next week on the Threatpost podcast.

Also, check out our podcast microsite, where we go beyond the headlines on the latest news.

Suggested articles