CDPwn: Five Cisco Vulnerabilities

Overview of CDPwn 

This report is about five major vulnerabilities affecting a multitude of Cisco products. The vulnerabilities have collectively been referred to as CDPwn. These flaws in the device architecture can affect large parts of the network infrastructure, but luckily, there are patches already available from the vendor. 

Tactics, Techniques, and Procedures 

CDPwn as the name may suggest affects CDP (Cisco Discovery Protocol) packets in Cisco network infrastructure. CDP is a protocol developed by Cisco to facilitate data-layer communications via announcement packets. The announcement packets utilize the MAC address through multicast frames sent to the switches and other devices. The protocol is turned on by default in every Cisco product out there. 

Vulnerability List: 

• CVE-2020-3110 – affects Cisco 8000 Series IP Cameras which allows a bad actor to send a packet that will induce a state of heap overflow exploiting a flaw in the DeviceID type-length-value (TLV). 
• CVE-2020-3111 – affects Cisco VOIP (Voice Over IP) phones allowing bad actors to send a specially crafted packet to induce a state of stack overflow exploiting a flaw in the PortID type-length-value (TLV). 
• CVE-2020-3118 – allows bad actors to target the CDP subsystem found in Cisco IOS XR software. The root cause is improper validation of string inputs within specific fields inside CDP messages which results in a potential stack overflow. 
• CVE-2020-3119 – a flaw in Cisco IOS XR software that could lead to a buffer overflow event with possible writing into the parsing segment of the Power over Ethernet (PoE) type-length-value (TLV). 
• CVE-2020-3120 – allows for attacks against the CDP subsystem targeting devices running the Cisco NX-OS, IOS XR, and FXOS software resulting in a denial of service conditions. 

These vulnerabilities do require remote attackers to be on the local area network, but if they’re successfully exploited there’s a strong chance that further lateral movement and general chaos could occur. Remote attackers would have to enter the network using some other vulnerability to exploit on targets like edge nodes or end-users. From there depending on the Cisco device and the type of environment using specially crafted broadcast or multicast packets is an option for the attacker. 

Impact of Cisco Vulnerabilities 

Could result in the loss of control over critical pieces of network infrastructure leading to endless possibilities including lateral movement, denial of service, unauthorized changes, data transfers, packet capturing, and more. In particular, the lateral movement can occur through the successful exploitation of multiple CDP-enabled devices by sending announcement packets between switches. Attackers having full control over IP phones and cameras could result in undesired intelligence collection. 

Recommendation for Protecting Against CDPwn 

It’s highly encouraged that you use the Cisco links below in the supporting documentation section to implement the patches available as soon as possible. Please review the general network architecture conduct below: 

• Utilize port security on switches to prevent someone from exploiting these vulnerabilities by plugging into an open network port onsite. 
• Turn off unused ports throughout your building until they need to be used. 
• Have strong Network Access Control (NAC) policies in place to prevent attackers from using vulnerable endpoints to penetrate your architecture. 
• Consider writing an ACL (Access Control List) to block any broadcast/multicast frames unless it’s from an approved MAC address. 
• See the Cisco links below for more information on this, but a simple ACL can be written for this. 
• Build a patching plan for core components of your IT infrastructure such as routers, switches, etc. 

Sources 

IBM X-Force Exchange: 

• https://exchange.xforce.ibmcloud.com/collection/Cisco-Security-Advisories-Feb-6-2020-2c8fabc552c7780a62b58c5a48e0ce52 

Supporting Documentation

Cisco Links: 

• Cisco Security Advisory Search: https://tools.cisco.com/security/center/Search.x?keyword=Cisco+Discovery+Protocol&criteria=exact&publicationTypeIDs=1&firstPublishedStartDate=2020%2F02%2F05&firstPublishedEndDate=2020%2F02%2F05 
• MAC ACL: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/asr903/sec-data-acl-xe-3s-asr903-book/mac-access-control-lists.html 

• CVE Tracking: https://www.kb.cert.org/vuls/id/261385/ 

• Vulnerability Report/White Paper: https://www.armis.com/research/cdpwn/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report outlines a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed detection and response service capabilities.