Four of the five high-severity bugs are remote code execution issues affecting Cisco routers, switches, and IP cameras, whereas the fifth vulnerability is a denial-of-service issue affecting Cisco IP phones.
Collectively dubbed 'CDPwn,' the reported vulnerabilities reside in the various implementations of the Cisco Discovery Protocol (CDP) that comes enabled by default on virtually all Cisco devices and can not be turned OFF.
Cisco Discovery Protocol (CDP) is an administrative protocol that works at Layer 2 of the Internet Protocol (IP) stack. The protocol has been designed to let devices discover information about other locally attached Cisco equipment in the same network.
According to a report Armis research team shared with The Hacker News, the underlying CDP implementations contain buffer overflow and format string vulnerabilities that could let remote attackers on the same network execute arbitrary code on the vulnerable devices by sending malicious unauthenticated CDP packets.
The list of CDPwn Cisco vulnerabilities affecting tens of millions of devices widely deployed in enterprise networks is as follow:
- Cisco NX-OS Stack Overflow in the Power Request TLV (CVE-2020-3119)
- Cisco IOS XR Format String vulnerability in multiple TLVs (CVE-2020-3118)
- Cisco IP Phones Stack Overflow in PortID TLV (CVE-2020-3111)
- Cisco IP Cameras Heap Overflow in DeviceID TLV (CVE-2020-3110)
- Cisco FXOS, IOS XR, and NX-OS Resource Exhaustion in the Addresses TLV (CVE-2020-3120)
To be noted, since CDP is a Data Link layer 2 protocol that can't cross the boundaries of a local area network, an attacker first needs to be on the same network to leverage CDPwn vulnerabilities.
However, after gaining an initial foothold in a targeted network using separate vulnerabilities, attackers can exploit CDPwn against network switches to break network segmentation and move laterally across the corporate networks to other sensitive systems and data.
"Gaining control over the switch is useful in other ways. For example, the switch is in a prime position to eavesdrop on network traffic that traverses through the switch, and it can even be used to launch man-in-the-middle attacks on the traffic of devices that traverses through the switch," the researchers said.
"An attacker can look to move laterally across segments and gain access to valuable devices like IP phones or cameras. Unlike switches, these devices hold sensitive data directly, and the reason to take them over can be a goal of an attacker, and not merely a way to break out of segmentation."
Additionally, CDPwn flaws also allow attackers to:
- Eavesdrop on voice and video data/calls and video feed from IP phones and cameras, capture sensitive conversations or images.
- Exfiltrate sensitive corporate data flowing through the corporate network's switches and routers.
- Compromise additional devices by leveraging man-in-the-middle attacks to intercept and alter traffic on the corporate switch.
Besides releasing a detailed technical report on the issues, the Armis research team has also shared videos of explanation and demonstration of the flaws, as embedded above.
After closely working with Armis researchers over the last few months to develop security patches, Cisco today released software updates for all of its affected products.
Though Cisco has also provided some mitigation information, affected administrators are still highly recommended to install the latest software updates to completely protect their valuable networks against malware and emerging online threats.