CDPwn vulnerabilities impact tens of millions of enterprise devices

February 05, 2020

Security researchers have disclosed today details about five vulnerabilities in the widely-deployed Cisco Discovery Protocol (CDP).

The vulnerabilities, identified by IoT cybersecurity firm Armis, have been collectively codenamed CDPwn.

They impact CDP, a proprietary Cisco protocol that allows Cisco devices to share information between each other via multicast messages (sprayed inside a local network).

The CDP protocol is implemented in the vast majority of Cisco products, and has been in use since the mid-90s. It’s not a well-known protocol becuase it’s not exposed on the internet, and works only inside local networks.

CDPwn bugs can take over Cisco devices

In a report published today, Armis says the CDP protocol is impacted by five vulnerabilities, four of which are “remote code execution” (RCE) issues that can allow an attacker to take over Cisco equipment that run vulnerable implementations of the CDP protocol suite. The fifth is a denial of service (DoS) issue that can be used to crash devices.

The good thing is that attacks can’t be mounted over the internet. As explained above, the CDP protocol works only inside local networks, at the Data Link Layer, and is not exposed on a device’s WAN interface — via which most internet attacks come from.

To exploit it, attackers first need a foothold inside a local network, Ben Seri, VP of Research at Armis, told ZDNet yesterday in an email.

The entry point can be anything, such as an IoT device. Hackers can use this entry device to broadcast malformed CDP messages inside a local network and take over Cisco equipment.

The primary target here would be Cisco routers, switches, and firewalls, which hold the keys to a company’s entire network, and which ship with CDP enabled by default.

The CDPwn vulnerabilities — albeit not usable for remotely breaking into an organization’s secure network from the internet — can be used as a way to escalate initial access, take over key points such as routers and switches to remove network segmentation, and then move laterally inside a company’s network to attack other devices.

But CDP also ships and is enabled by default inside other Cisco products, such as VoIP phones and IP cameras. The CDPwn attack can also be used against these devices as well, Armis said.

Attackers can use CDPwn to take over the vulnerable equipment like phones and security cameras, install malware, exfiltrate data, or even eavesdrop on calls and video feeds.

According to Armis, CDPwn impacts all Cisco routers running the IOS XR operating system, all Nexus switches, Cisco Firepower firewalls, Cisco NCS systems, all Cisco 8000 IP cameras, and all Cisco 7800 and 8800 VOIP phones.

“Unfortunately, most of the [CDPwn] RCE vulnerabilities we discovered are simple heap or stack overflow vulnerabilities, so exploitation is completely possible, and we were able to reach RCE in demo exploits we’ve developed,” Seri told ZDNet.

“In some of the affected devices, certain mitigations exist to prevent these overflows from being exploitable, but unfortunately these mitigations are only partial and could be subverted,” he added.

Patches are available

Seri told ZDNet that Armis has contacted Cisco about their discoveries months before. Cisco, for its credit, has worked to patch all the CDPwn vulnerabilities.

The networking giant is expected to releasse patches later today on its security web portal. The exact list of CDPwn vulnerabilities is:

Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability, (CVE-2020-3120)
Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability, (CVE-2020-3119)
Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability, (CVE-2020-3118)
Cisco IP Phone Remote Code Execution and Denial of Service Vulnerability, (CVE-2020-3111)
Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability, (CVE-2020-3110)

But there are also situations were system administrators cannot apply patches as soon as they become available. In these cases, some temporary mitigations also exist.

“If possible – disabling the Cisco Discovery Protocol (CDP) should prevent these vulnerabilities from being exploitable,” Seri told ZDNet.

“Disabling CDP may not be a possibility for some enterprise users, so the next best way to mitigate risk of an exploit is to get visibility into device behavior to monitor and identify anomalous activity,” Seri added.

“But the best solution is always to patch as quickly as possible.”