Security researchers have recently revealed details of Cisco's widely used protocol (CDP) in five vulnerabilities found. Things vulnerability found in Internet security firm Armis collectively referred to as CDPwn.
CDP is a Cisco proprietary protocol that allows Cisco devices via multicast messages to share information. CDP protocol has been deployed in the majority of Cisco products, and since the mid-1990s, has been in use.
Armis the release of a report that, CDP protocol affected by five vulnerabilities, four of which are remote code execution issue, an attacker could use these vulnerabilities to take over the running CDP protocol of Cisco equipment. The fifth is a denial of service (DoS), which may cause the device to crash.
The good news is, you can not attack over the Internet. As described above, CDP only inside the local network protocol data link layer functions, and is not exposed to the WAN interface device.
To exploit these vulnerabilities, an attacker would first need to gain a foothold in the LAN. Entry points can be anything, e.g. IoT device. Hackers can use this gateway device in the local network broadcast CDP malformed message, and take over Cisco equipment.
The main goal is to attack Cisco routers, switches and firewalls. These devices have the keys across the corporate network, and CDP is enabled by default in the case.
In short, although the attacker can not use direct CDPwn vulnerability exploited remotely over the Internet to remotely exploit vulnerabilities CDPwn, but it can be used in conjunction with other methods of attack in order to upgrade the initial access, taking over key points such as routers and switches to turn off the network points section, and then move horizontally to attack other devices in the corporate network.
Since VoIP phones and IP cameras, and other Cisco products are built and enabled by default CDP, therefore CDPwn attacks can be for these devices.
An attacker could use the device to take over CDPwn vulnerable, such as telephones and security cameras, installed malware, data leakage, and even telephone tapping and video sources.
According Armis said, CDPwn affect all running IOS XR operating system of Cisco routers, all Nexus switches, Cisco Firepower firewall, Cisco NCS system, all Cisco 8000 IP cameras as well as all Cisco 7800 and 8800 VOIP phone.
Armis few months ago found its vulnerability associated with Cisco. Cisco also responded quickly, and has developed a patch for the vulnerability of all CDPwn. The exact list of CDPwn vulnerabilities are:
- Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability (CVE-2020-3120)
- Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability (CVE-2020-3119)
- Cisco IOS XR Software Cisco Discovery Protocol format string vulnerability, (CVE-2020-3118)
- Cisco IP Phone Remote Execution and Denial of Service Vulnerability (CVE-2020-3111)
- Cisco Video Surveillance 8000 Series IP Camera Cisco Discovery Protocol Remote Execution and Denial of Service Vulnerability (CVE-2020-3110)