Network Security, Patch/Configuration Management, Vulnerability Management

Five high-level flaws patched in Cisco Discovery Protocol


Cisco Systems has issued fixes for five high-level vulnerabilities in various implementations of its Cisco Discovery Protocol, which is enabled by default in tens of millions of Cisco products.

The five flaws, collectively named CDPwn, could allow attackers to either remotely execute code or trigger a denial of service, warned Cisco yesterday, as did researchers at Armis who uncovered and disclosed the bugs. Affected devices including switches, routers, IP phones and IP cameras, which use the Layer 2 (Data Link Layer) network protocol to discover and map to each other Cisco equipment in the same network.

"Increasingly, these devices can, and do, connect to the enterprise network. And large numbers of these devices end up in places that attackers find extremely valuable," said Ben Seri, VP of research at Armis, in a company press release. "The findings of this research are significant, as Layer 2 protocols are the underpinning for all networks, and as an attack surface are an under-researched area, and yet are the foundation for the practice of network segmentation. Network segmentation is often utilized as a means to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by any attacker, so network segmentation is no longer a guaranteed security strategy."

The vulnerabilities consist of:

  • CVE-2020-3110, a heap overflow in Cisco's Video Surveillance 8000 Series IP cameras with CDP enabled.
  • CVE-2020-3111, a stack overflow in Cisco VoIP phones with CDP enabled.
  • CVE-2020-3118, a stack overflow condition Cisco's CDP subsystem of devices running, or based on, Cisco IOS XR Software.
  • CVE-2020-3119, a stack buffer overflow and arbitrary write in Cisco's CDP subsystem of devices running, or based on, Cisco NX-OS Software.
  • CVE-2020-3120, a resource exhaustion denial-of-service condition in Cisco's CDP subsystem of devices running, or based on, Cisco NX-OS, IOS XR, and FXOS Software.

The first two CDPwn bugs can result in both remote code execution and denial of service, the third and fourth can enable remote code execution and the fifth vulnerability can be exploited for denial of service. Attackers can trigger a denial of service by rebooting an affected device running CDP, and can perform code execution by sending a malicious, unauthenticated CDP packet to vulnerable devices, according to a security advisory from the CERT Coordination Center at Carnegie Mellon University.

Armis said attackers could then go on to eavesdrop on voice and video data/calls and video feeds; steal corporate data flowing through switches and routers; move laterally across networks and conduct man-in-the-middle attacks to intercept and alter traffic on the corporate switch. (Armis describes the threat further in a detailed disclosure report and technical white paper.)

Cisco also released security advisories for two fixed medium-level vulnerabilities, a stored cross-site scripting bug in the web-based management interface of Cisco Identity Services Engine, and another stored XSS flaw in the web-based management interface of Cisco Digital Network Architecture (DNA) Center.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.