Critical Cisco ‘CDPwn’ Flaws Break Network Segmentation

cisco critical patch

Cisco has released patches to address the five vulnerabilities, which could lead to remote code-execution and denial of service.

Cisco is issuing patches for five critical vulnerabilities that have been discovered in Cisco Discovery Protocol (CDP), the info-sharing layer that maps all Cisco equipment on a network.

Researchers at Armis say that the vulnerabilities, which they disclosed on Wednesday and collectively dubbed CDPwn, can allow attackers with an existing foothold in the network to break through network segmentation efforts and remotely take over millions of devices.

CDP is a Cisco proprietary Layer 2 network protocol that is used to discover information about locally attached Cisco equipment. CDP aids in mapping the presence of other Cisco products in the network and is implemented in virtually all Cisco products – including switches, routers, IP phones and IP cameras. Many of these devices cannot work properly without CDP, and do not offer the ability to turn it off, according to researchers.

The flaws specifically exist in the parsing of CDP packets, within the protocol’s implementation in various Cisco products, from its IOS XR software to IP cameras. Cisco issued patches on Wednesday addressing the five flaws, and is urging users to update as soon as possible.

“There are endless types of Layer 2 protocols, and CDP is one of them,” Ben Seri, vice president of research at Armis, told Threatpost. “But there is actually a very large attack surface there, which has been neglected. I think the research community needs to do more in looking at these protocols. And network segmentation, at the end of the day, is a strong solution for IoT [internet of things], and other security problems are solved by it, but we need to make sure that it really stands strong against all kinds of attacks.”

A Cisco spokesperson told Threatpost that Cisco is not aware of any “malicious uses” of the flaws in the wild.

“Transparency at Cisco is a matter of top priority,” the spokesperson told Threatpost. “When security issues arise, we handle them openly and swiftly, so our customers understand the issue and how to address it. On Feb. 5, we disclosed vulnerabilities in the Cisco Discovery Protocol implementation of several Cisco products along with software fix information and mitigations, where available.”

The attack comes with a caveat: It requires the attacker to already have some sort of foothold inside the network, via a previously compromised Cisco device, Seri told Threatpost.

“So it’s not an attack that necessarily is coming from the internet,” Seri told Threatpost. “The attacker needs to have some access, but if you have some very low-grade IoT device sitting inside the network, part of your threat model already is that these devices might be compromised.”

After compromising a vulnerable Cisco device, an attacker could then send a maliciously crafted CDP packet to another Cisco device located inside the network. There are five vulnerabilities in all — four of which are critical remote code-execution (RCE) vulnerabilities, and one is a denial-of Service (DoS) vulnerability.

The first RCE flaw (CVE-2020-3118) is a format string flaw in the parsing of certain fields (i.e. Device ID) for incoming CDP packets in the CDP implementation for Cisco’s Internetworking Operating System (IOS XR). IOS XR is used for its Network Converging System (NCS) carrier-grade routers.

An attacker could use certain format string characters to cause a stack overflow, ultimately leading to RCE. Researchers said an attacker could exploit this flaw to “gain full control over the target router to traverse between network segments and use the router for subsequent attacks.”

The second RCE flaw (CVE-2020-3119) is a stack-overflow vulnerability that stems from the parsing of CDP packets in Cisco NX-OS, a network operating system for Cisco’s Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches. An attacker can exploit this flaw using a legitimate CDP packet with skewed power levels (i.e., above the power level that can be accepted) and cause a stack overflow on switches, thus gaining full control.

Another RCE flaw is a heap overflow (CVE-2020-3110) that exists in the parsing of CDP packets in the CDP implementation for Cisco Video Surveillance 8000 Series IP Cameras. It’s caused when an attacker sends a CDP packet with an “overly large Port ID field.”

The final RCE flaw exists in the CDP implementation on Cisco Voice Over IP Phones (CVE-2020-3111).  “In this vulnerability, a stack overflow in the parsing function for the Port ID, can be exploited to gain code execution on the phone,” researchers said.

The DoS flaw meanwhile stems from the CDP implementation in Cisco FXOS, IOS XR and NX-OS software (CVE-2020-3120), which can be exploited by making the CDP daemon of a router or switch allocate large blocks of memory, causing the process to crash.

“With this vulnerability, an attacker can cause the CDP process to crash repeatedly, which in turn causes the router to reboot,” said researchers. “This means that an attacker can use this vulnerability to create a complete DoS of the target router, and in turn, completely disrupt target networks.”

Once these flaws have been exploited, a bad actor could launch an array of attacks – including exfiltrating data of corporate network traffic traversing through an organization’s switches and routers; and viewing sensitive information such as phone calls from IP phones and video feeds from IP cameras.

Attackers could also gain access to additional devices by leveraging man-in-the-middle attacks, which would allow them to intercept and alter traffic on corporate switches.

Armis disclosed the vulnerabilities to Cisco on Aug. 29, and said that it has worked with the networking giant since then to develop and test mitigations and patches. The patches were released Wednesday.

“Vulnerabilities that allow an attacker to break through network segmentation and move freely across the network pose a tremendous threat to enterprises,” according to Armis researchers. “Targets have moved beyond traditional desktops, laptops and servers to devices like IP phones and cameras which contain valuable voice and video data. Current security measures, including endpoint protection, mobile device management, firewalls and network security solutions are not designed to identify these types of attacks.”

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles

Discussion

  • Mr Floyd on

    Cisco again. Is there anyone who takes their security seriously at this point? How many bad ideas can one company implement? It's like if MS made routers.
  • Enterprise Netgear lolz on

    You're free to use another vendor if you'd like.
  • Dnyaneshwar on

    cisco ...a networking giant facing the problem of bad management
  • NADEEM AKHTAR on

    I want to learn CCNA
  • Vignesh on

    strcpy instead of strncpy strikes again! I have seen such code lapses even in some of their competitors fibre channel os codes. Bad code is bad code.
  • Ade on

    Well they are still the best in what they do.
  • BP Miller on

    Yes, strncpy is a better choice, but not yet a good choice. strncpy is problematic because it is still easy to make a mistake. The burden is on the programmer to make sure that they calculate the length correctly, with no enforcement or help from the compiler. And if you string just fits in the destination buffer, the terminating null byte will be lost, possibly causing future uses of the string to overrun past the end of the buffer. If you absolutely must write in C and use C strings, a bit more cumbersome, but snprintf can give your better protection. Languages with real string types, where the length of the string is part of the object, are certainly better.
  • Priyaranjan paul on

    Right

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.