Cisco Systems has issued fixes for five high-level vulnerabilities in various implementations of its Cisco Discovery Protocol, which is enabled by default in tens of millions of Cisco products.

The five flaws, collectively named CDPwn, could allow attackers to either remotely execute code or trigger a denial of service, warned Cisco yesterday, as did researchers at Armis who uncovered and disclosed the bugs. Affected devices including switches, routers, IP phones and IP cameras, which use the Layer 2 (Data Link Layer) network protocol to discover and map to each other Cisco equipment in the same network.

“Increasingly, these devices can, and do, connect to the enterprise network. And large numbers of these devices end up in places that attackers find extremely valuable,” said Ben Seri, VP of research at Armis, in a company press release. “The findings of this research are significant, as Layer 2 protocols are the underpinning for all networks, and as an attack surface are an under-researched area, and yet are the foundation for the practice of network segmentation. Network segmentation is often utilized as a means to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by any attacker, so network segmentation is no longer a guaranteed security strategy.”

The vulnerabilities consist of:

  • CVE-2020-3110, a heap overflow in Cisco’s Video Surveillance 8000 Series IP cameras with CDP enabled.
  • CVE-2020-3111, a stack overflow in Cisco VoIP phones with CDP enabled.
  • CVE-2020-3118, a stack overflow condition Cisco’s CDP subsystem of devices running, or based on, Cisco IOS XR Software.
  • CVE-2020-3119, a stack buffer overflow and arbitrary write in Cisco’s CDP subsystem of devices running, or based on, Cisco NX-OS Software.
  • CVE-2020-3120, a resource exhaustion denial-of-service condition in Cisco’s CDP subsystem of devices running, or based on, Cisco NX-OS, IOS XR, and FXOS Software.

The first two CDPwn bugs can result in both remote code execution and denial of service, the third and fourth can enable remote code execution and the fifth vulnerability can be exploited for denial of service. Attackers can trigger a denial of service by rebooting an affected device running CDP, and can perform code execution by sending a malicious, unauthenticated CDP packet to vulnerable devices, according to a security advisory from the CERT Coordination Center at Carnegie Mellon University.

Armis said attackers could then go on to eavesdrop on voice and video data/calls and video feeds; steal corporate data flowing through switches and routers; move laterally across networks and conduct man-in-the-middle attacks to intercept and alter traffic on the corporate switch. (Armis describes the threat further in a detailed disclosure report and technical white paper.)

Cisco also released security advisories for two fixed medium-level vulnerabilities, a stored cross-site scripting bug in the web-based management interface of Cisco Identity Services Engine, and another stored XSS flaw in the web-based management interface of Cisco Digital Network Architecture (DNA) Center.