Cisco Patches Critical CDP Flaws Affecting Millions of Devices

Cisco Patches Critical CDP Flaws Affecting Millions of Devices

Cisco Patches Critical CDP Flaws Affecting Millions of Devices

Five critical vulnerabilities found in various implementations of the Cisco Discovery Protocol (CDP) could allow attackers on the local network to take over tens of millions of enterprise devices as discovered by IoT security company Armis.

CDP is a proprietary Layer 2 (Data Link Layer) network protocol used by Cisco devices for discovering info on other Cisco equipment on the local network, with the end goal of mapping Cisco products within the network.

This protocol is enabled by default in practically all Cisco products including routers, switches, and IP phones and cameras, with a vast majority of them not being able to work properly without using CDP. Many of these vulnerable devices also do not provide users with the ability to turn CDP off as a workaround.

To underline the seriousness of this discovery, more than 95% of all Fortune 500 companies and over 200,000 customers use Cisco Collaboration solutions according to Cisco’s stats.

Armis also provides a video explanation of how threat actors could use CDPwn vulnerabilities during their attacks.

Remote code execution and denial of service

The five vulnerabilities — four critical remote code execution (RCE) and a denial of service (DoS) — dubbed CDPwn reside in how CDP (Cisco Discovery Protocol) packets are processed.

Cisco firmware versions released over the past 10 years are impacted by these flaws that could enable local attackers that have infiltrated an enterprise network to execute a man in the middle attacks, spy on voice or video calls, collect and exfiltrate data, and disrupt network segmentation according to Armis’ researchers.

As Armis explains, after successfully exploiting one of the five RCE or DoS vulnerabilities, attackers will be able to:

• Eavesdrop on voice and video data/calls and video feeds from IP phones and cameras, capturing sensitive conversations or images.
• Steal sensitive corporate data flowing through the corporate network’s switches and routers.
• Break network segmentation, allowing attackers to move laterally across the corporate networks to other sensitive systems and data.
• Compromise device communications by leveraging man-in-the-middle attacks to intercept and alter traffic on the corporate switch.

More exactly, attackers could get a foothold within a corporate network and take over the rest of it by first exploiting unmanaged and IoT devices like security cameras and smart TVs usually placed on a separate network.

Unpatched Cisco switches would then be taken over by exploiting one of the CDPwn vulnerabilities, allowing the attackers to compromise other parts of the network via man-in-the-middle attacks or network-wide broadcast packets that can take over all Cisco devices in one go.

The CDPwn vulnerabilities impact a wide range of Cisco devices including Cisco IOS XR routers, Cisco NX-OS switches, Cisco NCS systems, Cisco FirePower firewalls, Cisco 8000 IP Camera series, and Cisco IP Phone 7800 and 8800 series, among many others.

A full list of all Cisco devices affected by the CDPwn vulnerabilities can be found on this dedicated page.

Below you can find a video demo of how CDPwn flaws can be used to take over Cisco IP Phones Series 7841 and 8851 to record phone calls, download calls from the phones, and even play games on the IP phones’ screens.

Armis also demoed a Cisco Nexus Switch 3048 takeover attack here.

Security fixes available

Cisco has provided updates, additional info, and mitigation details for the CDPwn vulnerabilities on its Security Advisory page on February 5, after closely working with Armis’ researchers through the responsible disclosure process since the initial disclosure from August 29, 2019.

Direct links to the Cisco security advisories for each of the flaws are available below:

• Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability —


• Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability —


• Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability —


• Cisco IP Phone Remote Code Execution and Denial of Service Vulnerability —


• Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability —


“The findings of this research are significant as Layer 2 protocols are the underpinning for all networks, and as an attack surface are an under-researched area and yet are the foundation for the practice of network segmentation,” VP of Research at Armis Ben Seri said.

“Network segmentation is often utilized as a means to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by an attacker, so network segmentation is no longer a guaranteed security strategy.”


via BleepingComputer

February 5, 2020 at 07:37PM
Sergiu Gatlan