CVE-2020-3110 | CVE-2020-3111 | CVE-2020-3118 | CVE-2020-3119 | CVE-2020-3120
Integrity360 is actively monitoring a collection of 5 critical zero-day vulnerabilities, dubbed as “CDPwn”. The CDPwn collection contains four Remote Code Execution (RCE) vulnerabilities as well as one Denial of Service (DoS) vulnerability. (CVE-2020-3110 | CVE-2020-3111 | CVE-2020-3118 | CVE-2020-3119 | CVE-2020-3120)
The threat
Cisco Discovery Protocol (CDP) is prone to Remote Code Execution and Denial of Service vulnerabilities, when an unauthenticated attacker sends maliciously crafted CDP packets to an affected device. The Remote Code Execution vulnerabilities can allow an attacker to execute arbitrary code with admin or root privilege on the affected devices. The Denial of Service vulnerabilities can allow attacks to invoke a memory overload and forced reboot of the affected devices.
While these vulnerabilities require the attacker to be in the same broadcast domain as the affected device (adjacent attacker presence), it is believed that attackers could exploit wide-spread IoT vulnerabilities to gain a foothold in a organisations environment, before exploiting the CDPwn vulnerabilities to break network segmentation, gain administrative access to core networking resources and move laterally through an organisation.
Armis, the team responsible for the disclosure, have cited two critical scenarios:
Scenario 1: Breaking of Network Segmentation.
In this scenario an attacker could leverage the CDPwn vulnerabilities to move laterally from a segmented/secured DMZ or “Internet-Only” network into other more sensitive areas of the corporate network, gaining access to critical systems, servers and file-stores. Additionally the attacker could gain privileged admin access to network devices, to allow them to launch man-in-the-middle attacks on the traffic traversing the affected devices, to intercept and redirect traffic to malicious sites or eavesdrop on network traffic to syphon off user credentials, passwords and other sensitive information.
Scenario 2: Data Exfiltration From Devices Like IP Phones
In this scenario an attacker, who has already gained a foot hold in the network, could move laterally across the segments to target and gain Root access to affected IP Phones and IP Cameras. An attacker could potentially take over all affected IP Phones and IP Cameras on a network simultaneously to either perform covert reconnaissance operations or to cause havoc and disrupt business operations.
Known Affected Versions
Routers:
Switches:
IP Phones:
IP Cameras:
Please note: The Armis report suggests Firepower 1000 Series and Firepower 2100 Series devices are affected by these vulnerabilities, however, Cisco Advisories explicitely state that they are not, so they have not been included in the above list. It is, however, still recommended that these devices are reviewed and patched to the latest versions as a matter of best practice.
Recommendations
As a matter of best-practice, and wherever possible, organisations should look to physically segment network traffic for “dirty”, IoT and/or “Guest” networks and environments. We accept, however, that this may not be practical or cost-effective in many circumstances in which case we would advise all organisations to ensure that they are able to adequately identify and patch all affected devices. Thankfully, Cisco have released software updates for all affected devices; information on which can be found at https://cisco.com/security or by following the individual links to the Cisco Advisories.
More information
Armis Disclosure:
Cisco Advisories:
Should you require assistance in identifying affected assets and/or applying the software updates, or if you have any immediate concerns about this threat to your business, please contact your account manager or email info@integrity360.com . As always, Integrity360 Managed Security Service customers will already be covered through our proactive security approach.