On February 5, 2020 researchers at Armis Security disclosed five critical, zero-day vulnerabilities that were discovered in various implementations of the popular Cisco Discovery Protocol (CDP) that allow an attacker to take over devices without user interaction. The researchers named these vulnerabilities “CDPwn,'' after the name of the technology they affect.
CDP is a proprietary, widely used protocol across Cisco devices that allows switches, routers, IP Phones, and cameras the ability to communicate with one another while sharing data with one another directly. The type of data that is typically shared in the CDP protocol varies depending on the device and version of operating system the device is running, but typically contains items such as operating system, hostname, every IP address from all protocols configured to support CDP on any port, port identifiers, device type and model, and other device information that could be leveraged by attackers to secure a foothold in a customer’s environment.
At this time Armis and Cisco have not produced any Proof of Concept (PoC) exploits that could be utilized to exploit these devices.Potential Impact
The researchers described each of the five risks and their potential impact associated with CDPwn into two core scenarios that are possible with devices exposed to these vulnerabilities. Four of the five vulnerabilities disclosed are remote code execution (RCE) vulnerabilities and the other one allows for Denial of Service (DoS).
The first scenario with CDPwn allow attackers to break network segmentation by utilizing remote code execution vulnerabilities to gain a foothold on network equipment or devices and allow them to perform a man-in-the-middle attack on traffic of any device that traverses through the network device, while making it very difficult to detect.
The second CDPwn scenario allows the attacker to gain a foothold in the network and gain access to IP phones and cameras, which contain sensitive information, and can be done through a broadcast packet which allows the attacker to take over multiple devices simultaneously.
- ASR 9000 Series Aggregation Services Routers
- Carrier Routing System (CRS)
- Firepower 1000 Series
- Firepower 2100 Series
- Firepower 4100 Series
- Firepower 9300 Security Appliances
- IOS XRv 9000 Router
- White box routers running Cisco IOS XR
- Nexus 1000 Virtual Edge
- Nexus 1000V Switch
- Nexus 3000 Series Switches
- Nexus 5500 Series Switches
- Nexus 5600 Series Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 9000 Series Fabric Switches
- MDS 9000 Series Multilayer Switches
- Network Convergence System (NCS) 1000 Series
- Network Convergence System (NCS) 5000 Series
- Network Convergence System (NCS) 540 Routers
- Network Convergence System (NCS) 5500 Series
- Network Convergence System (NCS) 560 Routers
- Network Convergence System (NCS) 6000 Series
- UCS 6200 Series Fabric Interconnects
- UCS 6300 Series Fabric Interconnects
- UCS 6400 Series Fabric Interconnects
- IP Conference Phone 7832
- IP Conference Phone 8832
- IP Phone 6800 Series
- IP Phone 7800 Series
- IP Phone 8800 Series
- IP Phone 8851 Series
- Unified IP Conference Phone 8831
- Wireless IP Phone 8821
- Wireless IP Phone 8821-EX
Managing and Mitigation Risk
Each Common Vulnerability and Exposures (CVE) has been documented below with their exploit capability, impact, and advisory link which will direct organizations to a patch for the impacted devices.
Cisco's Video Surveillance 8000 Series IP cameras with CDP enabled are vulnerable to a heap overflow by parsing the DeviceID type-length-value (TLV). The CVSS score reflected below is in regards to this vulnerability.
- Cisco Advisory Link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-ipcameras-rce-dos
- CVE-2020-3110 vulnerability impacts Cisco Surveillance 8000 Series IP Camera through the CDP protocol utilizing a remote code execution attack as well as a denial of service vulnerability. The vulnerability is triggered by a large Port ID field that is applied to an incoming CDP packet causing a heap overflow that contains an attacker-controlled byte and can be triggered multiple times. By triggering the heap overflow exploit an attacker puts themselves in a position to reach a remote code execution.
Cisco Voice over Internet Protocol (VoIP) phones with CDP enabled are vulnerable to a stack overflow in the parsing of PortID type-length-value (TLV).
- Cisco Advisory Link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-voip-phones-rce-dos
- CVE-2020-3111 utilizes the CDP within Cisco IP phones to execute a stack overflow in the parsing function of for the Port ID. An attacker is able to sit anywhere in the local network in order to utilize unicast and broadcast CDP packets to trigger remote code execution, that could allow an attacker to record audio and export it out to their system, or create denial of service attack to all devices that can understand the CDP protocol on the same LAN.
Cisco's CDP subsystem of devices running, or based on, Cisco IOS XR Software are vulnerable to improper validation of string input from certain fields within a CDP message that could lead to a stack overflow.
- Cisco Advisory Link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce
- CVE-2020-3118 is a format string vulnerability in the parsing of specific string fields (Device ID, Port ID, etc…) in which an attacker submits set parameters to the IOS-XR device in the sprintf function. By setting these parameters an attacker is able to write controlled bytes to the out-of-bounds stack leading the stack overflow and granting them the ability of remote code execution which provides full control over the target device in order to by-pass network segmentation.
Cisco's CDP subsystem of devices running, or based on, Cisco NX-OS Software is vulnerable to a stack buffer overflow and arbitrary write in the parsing of Power over Ethernet (PoE) type-length-value (TLV).
- Cisco Advisory Link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce
- CVE-2020-3119 exploits NX-OS Software utilizing CDP for a remote code execution attack by allowing an attacker to implement a stack-overflow utilizing the Power over Ethernet (PoE) in the implementation of CDP on NX-OS devices. By distributing a packet with PoE request fields an attacker is able to trigger this vulnerability, allowing a stack overflow to happen on the device and giving full control over the switch and network infrastructure, which in turn would break any network segmentation that is in place and allow the attack to move between VLANs.
Cisco's CDP subsystem of devices running, or based on, Cisco NX-OS, IOS XR, and FXOS Software are vulnerable to a resource exhaustion denial-of-service condition.
- Cisco Advisory Link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos
- CVE-2020-3120 allows the use of CDP to create a Denial of Service (DOS) attack on FXOS, IOS XR, and NX-OS software that utilize the CDP protocol. An attacker can trigger this vulnerability by utilizing the CDP daemon of a router or switch to allocate large blocks of it’s memory until the device crashes and is forced to reboot.
At this time there are no known detections for CDPwn and the CVEs related to it, but Tenable is tracking their plugin identifications here:
- CVE-2020-3119 - QID 316559
- CVE-2020-3120 - QID 316558
deepwatch Identify customers reach out to your Vulnerability Management Subject Matter Expert in order to get a list of assets that have been discovered in your environment that could be impacted by CDPwn.
deepwatch Protect Firewall customers, at the time of this posting, there are no definitions available for Palo Alto or FortiNet devices to assist in protection of these devices. The deepwatch Protect Firewall team will continue to monitor for new rules and definitions that can be deployed to assist in protecting against CDPwn.
Samuel Harris, Principal Vulnerability Management
Drake Brignac, Threat Hunter