- CDPwn can allow attackers to remotely take over millions of devices using CDP.
- The vulnerabilities were disclosed to Cisco on August 29, 2019.
Cisco has issued patches for five critical vulnerabilities affecting the Cisco Discovery Protocol (CDP). The five vulnerabilities, collectively known as CDPwn, can allow attackers to remotely take over millions of devices using CDP.
What is CDP?
CDP is a Cisco proprietary Layer 2 network protocol that is used to discover information about locally attached Cisco equipment. CDP is implemented virtually in all Cisco products including switches, routers, IP phones, and cameras.
What is CDPwn?
Discovered by researchers from Armis, CDPwn can allow an attacker to fully take over targeted devices. The vulnerabilities were disclosed to Cisco on August 29, 2019.
Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities and the remaining one is a Denial of Service (DoS) vulnerability.
The exploitation of RCE vulnerabilities can lead to:
- Breaking of network segmentation;
- Exfiltration of corporate data traversing through an organization’s switches and routers;
- Gaining access to additional devices by leveraging MiTM attacks;
- Harvesting of sensitive information such as phone calls, IP phones, and video feeds from IP cameras.
The five vulnerabilities are tracked as:
- Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability (CVE-2020-3120);
- Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability, CVE-2020-3119;
- Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability (CVE-2020-3118);
- Cisco IP Phone Remote Code Execution and Denial of Service Vulnerability (CVE-2020-3111); and
- Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability (CVE-2020-3110).
Securing against CDPwn
Cisco has released patches for CDPwn vulnerabilities. But there are also situations where system administrators cannot apply patches. In these cases, some temporary mitigation also exists.
“Enterprises should consider augmenting network segmentation with other security mechanisms. Since traditional agent-based security can’t be used with most EoT devices, other approaches such as network-based behavioral monitoring should be considered,” explained Armis researchers.