CDPwn - Cisco Discovery Protocol Vulnerabilities

CVE-2020-3110 | CVE-2020-3111 | CVE-2020-3118  | CVE-2020-3119 | CVE-2020-3120

Integrity360 is actively monitoring a collection of 5 critical zero-day vulnerabilities, dubbed as “CDPwn”. The CDPwn collection contains four Remote Code Execution (RCE) vulnerabilities as well as one Denial of Service (DoS) vulnerability. (CVE-2020-3110 | CVE-2020-3111 | CVE-2020-3118  | CVE-2020-3119 | CVE-2020-3120)

The threat 

Cisco Discovery Protocol (CDP) is prone to Remote Code Execution and Denial of Service vulnerabilities, when an unauthenticated attacker sends maliciously crafted CDP packets to an affected device. The Remote Code Execution vulnerabilities can allow an attacker to execute arbitrary code with admin or root privilege on the affected devices. The Denial of Service vulnerabilities can allow attacks to invoke a memory overload and forced reboot of the affected devices. 

While these vulnerabilities require the attacker to be in the same broadcast domain as the affected device (adjacent attacker presence), it is believed that attackers could exploit wide-spread IoT vulnerabilities to gain a foothold in a organisations environment, before exploiting the CDPwn vulnerabilities to break network segmentation, gain administrative access to core networking resources and move laterally through an organisation.

Armis, the team responsible for the disclosure, have cited two critical scenarios:

Scenario 1: Breaking of Network Segmentation.
In this scenario an attacker could leverage the CDPwn vulnerabilities to move laterally from a segmented/secured DMZ or “Internet-Only” network into other more sensitive areas of the corporate network, gaining access to critical systems, servers and file-stores. Additionally the attacker could gain privileged admin access to network devices, to allow them to launch man-in-the-middle attacks on the traffic traversing the affected devices, to intercept and redirect traffic to malicious sites or eavesdrop on network traffic to syphon off user credentials, passwords and other sensitive information.

Scenario 2: Data Exfiltration From Devices Like IP Phones
In this scenario an attacker, who has already gained a foot hold in the network, could move laterally across the segments to target and gain Root access to affected IP Phones and IP Cameras. An attacker could potentially take over all affected IP Phones and IP Cameras on a network simultaneously to either perform covert reconnaissance operations or to cause havoc and disrupt business operations.

Known Affected Versions

Routers:

• ASR 9000 Series Aggregation Services Routers
• Carrier Routing System (CRS)
• Firepower 4100 Series
• Firepower 9300 Security Appliances
• IOS XRv 9000 Router
• White box routers running Cisco IOS XR

Switches:

• Nexus 1000 Virtual Edge for VMware vSphere
• Nexus 1000V Switch for Microsoft Hyper-V
• Nexus 1000V Switch for VMware vSphere
• Nexus 3000 Series Switches
• Nexus 5500 Series Switches
• Nexus 5600 Series Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 9000 Series Fabric Switches
• MDS 9000 Series Multilayer Switches
• Network Convergence System (NCS) 540 Routers
• Network Convergence System (NCS) 560 Routers
• Network Convergence System (NCS) 1000 Series
• Network Convergence System (NCS) 5000 Series
• Network Convergence System (NCS) 5500 Series
• Network Convergence System (NCS) 6000 Series
• UCS 6200 Series Fabric Interconnects
• UCS 6300 Series Fabric Interconnects
• UCS 6400 Series Fabric Interconnects

IP Phones:

• IP Conference Phone 7832
• IP Conference Phone 8832
• IP Phone 6800 Series
• IP Phone 7800 Series
• IP Phone 8800 Series
• IP Phone 8851 Series
• Unified IP Conference Phone 8831
• Wireless IP Phone 8821
• Wireless IP Phone 8821-EX

IP Cameras:

• Video Surveillance 8000 Series IP Cameras

Please note: The Armis report suggests Firepower 1000 Series and Firepower 2100 Series devices are affected by these vulnerabilities, however, Cisco Advisories explicitely state that they are not, so they have not been included in the above list. It is, however, still recommended that these devices are reviewed and patched to the latest versions as a matter of best practice.

Recommendations

As a matter of best-practice, and wherever possible, organisations should look to physically segment network traffic for “dirty”, IoT and/or “Guest” networks and environments. We accept, however, that this may not be practical or cost-effective in many circumstances in which case we would advise all organisations to ensure that they are able to adequately identify and patch all affected devices. Thankfully, Cisco have released software updates for all affected devices; information on which can be found at https://cisco.com/security or by following the individual links to the Cisco Advisories.

More information

Armis Disclosure:

• https://www.armis.com/cdpwn/

Cisco Advisories:

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-ipcameras-rce-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-voip-phones-rce-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos

Should you require assistance in identifying affected assets and/or applying the software updates, or if you have any immediate concerns about this threat to your business, please contact your account manager or email info@integrity360.com . As always, Integrity360 Managed Security Service customers will already be covered through our proactive security approach.