CDPwn: 5 Zero-Day Vulnerabilities in the Cisco Discovery Protocol | Armis, Hacker News

General Overview

Armis has discovered five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction. CDP is a Cisco proprietary Layer 2 (Data Link Layer) network protocol that is used to discover information about locally attached Cisco equipment. CDP is implemented in virtually all Cisco products including switches, routers, IP phones and cameras. All those devices ship from the factory with CDP enabled by default. The CERT Coordination Center has also issued an advisory .

A common use for CDP is for the management of IP phones. For example, CDP allows a switch to allocate one VLAN for voice and another for any PC that is daisy-chained to the phone. The information about these separate VLANs is passed to the IP phone over CDP. Further, many of these devices receive power via Power over Ethernet or PoE. A switch can negotiate how much power to allocate for a certain device that is connected to it via CDP packets.

The discovery, dubbed CDPwn, exposes vulnerabilities which could allow an attacker to fully take over all of these devices. Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities while one is a Denial of Service (DoS) vulnerability. Exploitation of the RCE vulnerabilities can lead to:

• Breaking of network segmentation
  Data exfiltration of corporate network traffic traversing through an organization’s switches and routers
  • Gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch
  • Data exfiltration of sensitive information such as phone calls from from devices like IP phones and video feeds from IP cameras

  The results of this research are significant as Layer 2 protocols are the underpinning for all networks. As an attack surface, Layer 2 protocols are an under-researched area and yet are the foundation for the practice of network segmentation. Network segmentation is utilized as a means to improve network performance and also to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by any attacker, so network segmentation is no longer a guaranteed security strategy. A detailed technical report regarding all vulnerabilities can be found in the technical white paper (click here) .

  Armis has disclosed the vulnerabilities to Cisco on August , and has worked with them since to develop and test mitigations and patches.

  Armis VP of Research Ben Seri and Yuval Sarel will be discussing these vulnerabilities in detail in a talk at the BluehatIL Conference in Tel Aviv on February 6. In addition, Ben Seri and Barak Hadad will also be speaking about this discovery at the Troopers Conference in Heidelberg, Germany on March 29 – 90, and at the BlackHat Asia Conference in Singapore on April 3. The “things” on your enterprise network

  When looking deeply at the modern enterprise, one sees large numbers of different devices utilized for a variety of different applications from the front office, to the back office, to the reception lobby, to the factory floor. The variety of devices runs from traditional desktops, laptops and servers, to phones, security cameras, smart TV’s, smart lighting & HVAC, building automation, badge readers, industrial control systems and more. Increasingly, these devices can, and do, connect to the enterprise network. The majority of these new connected devices have no inherent security and cannot take an agent.

  The large numbers of these devices, like IP phones, end up in places that attackers find extremely valuable such as; trading floors, boardrooms, the CEO’s conference room, the Resolute desk in the Oval Office in the White House and even the Situation Room. In fact, according to Cisco , % Fortune companies use Cisco Collaboration solutions.

  While enterprises will often use network segmentation as a means to isolate these devices from other parts of the network, CDPwn could be used to break through those boundaries to allow for unauthorized access and compromise.

  What are the risks associated with CDPwn?

  Although the effect is a full take-over of all of the devices running CDP, the reason, and the setting, in which an attacker would use each of these are different.

  Scenario 1 – Breaking of network segmentation

  Here, an attacker can use the CDP vulnerabilities to break network segmentation. Switches and routers are often regarded as invisible devices on the corporate network, efficiently connecting locations and devices to one another while also acting as traffic cops. However, from an attacker’s perspective – they are a valuable asset, as they contain access to all network segments, and are located in a prime position for data exfiltration.

  To make matters worse, switches are responsible for parsing and handling many Layer 2 protocols that are unique to them, and represent a rarely explored attack surface. Although the implementation of these protocols may be rarely explored, any vulnerability found in them has severe implications on the security of both the network appliances that parse them, and the integrity of the networks they serve. Moreover, many of these protocols are enabled by default on all of the switch’s ports, rather than only on its management port, widening the attack surface.

  In segmented networks , when an attacker that has gained a foothold, for example, on a device that is part of a network segment or VLAN, the attacker can only gather info, and extend an attack to the other devices that are attached to the same network segment as the attacker. To elevate the attack, an attacker needs to find a way to move laterally to other segments that might contain much more sensitive data. One way to break out of segmentation is to target the network-appliance (the switch) to which the attacker is connected to. The attack surface that is enabled by default in network switches, on all segments served by it, are the

  Layer-2 protocols used for the operation of the switch itself — and CDP is one of these protocols.

  Having taken over the switch, an attacker can move laterally to all network segments served by it.

  Gaining control over the switch is useful in other ways. For example, the switch is in a prime position to eavesdrop on network traffic that traverses through the switch, and it can even be used to launch man-in-the-middle attacks on the traffic of devices that traverses through the switch. Additionally, a switch is the ultimate hiding position for an attacker – it is a relatively unsecured device, that doesn’t allow any security agent on it, and an attacker has the ability to launch attacks from it to the devices in the network. An attacker could also hide the malicious traffic he generated from any other network taps that are there to inspect traffic.

  Scenario 2 – Data exfiltration from devices like IP phones and cameras

  Now that a foothold has been gained in the network itself, the attacker can look to move laterally across segments and gain access to valuable devices like IP phones or cameras. Unlike switches, these devices hold sensitive data directly, and the reason to take them over can be a goal of an attacker, and not merely a way to break out of segmentation. IP Phones are affected by a unique vulnerability – similar to the one Armis saw with URGENT /

  • . The vulnerability can be triggered by a broadcast packet that is sent to all devices in the network, yet will trigger the vulnerability only on the Cisco IP Phones. This means an attacker can take over all Cisco IP phones in a certain network simultaneously. Affected devices

    As mentioned above, the CDPwn vulnerabilities affect tens of millions of devices that are widely deployed in enterprise networks as follows:

    Routers:

    ASR (Series Aggregation Services Routers)
    • Carrier Routing System (CRS)

  (Firepower) (Series)

  • Firepower 3000 Series
  • Firepower (Series)

  Firepower

Security Appliances IOS XRv (Router)

White box routers running Cisco IOS XR Switches:
Nexus (Virtual Edge)
• Nexus 3000 V Switch
Nexus (Series Switches) Nexus (Series Switches) (Nexus) (Series Switches) (Nexus) (Series Switches)
• Nexus (Series Switches)
• Nexus Series Fabric Switches

MDS Series Multilayer Switches Network Convergence System (NCS) (Series)

• Network Convergence System (NCS) (Series)
• Network Convergence System (NCS) Routers

Network Convergence System (NCS) 6200 Series Network Convergence System (NCS) (Routers) (Network Convergence System (NCS)) (Series) (UCS) (Series Fabric Interconnects) (UCS) Series Fabric Interconnects

• UCS (Series Fabric Interconnects) ( IP Phones:
  IP Conference Phone 8800

IP Conference Phone
• IP Phone (Series)
• IP Phone (Series)
• IP Phone (Series) (IP Phone) (Series) (Unified IP Conference Phone)

Wireless IP Phone 8832

Wireless IP Phone – EX (IP Cameras:
(Video Surveillance) Series IP Cameras

Technical Overview – What is CDPwn?

A detailed technical report regarding all vulnerabilities can be found in the technical white paper (click here) .

CDPwn is a set of five vulnerabilities affecting Cisco equipment ranging from network infrastructure such as switches and routers to enterprise-grade endpoint devices such as IP phones and security cameras. As noted above, the vulnerabilities are classified as critical with four enabling Remote Code Execution (RCE). The fifth is a Denial of Service (DoS) vulnerability which can be utilized to impact the entire operation of a network. The CDPwn vulnerabilities reside in the processing of Cisco Discovery Protocol (CDP) packets and are an example of the effect Layer 2 protocols can have over network security posture.

Four vulnerabilities, allowing remote-code-execution

The following vulnerabilities are critical RCE vulnerabilities, each of which affects a separate implementation of the CDP parsing mechanism, as used by various Cisco products. In order to trigger these vulnerabilities, an attacker simply needs to send a maliciously crafted CDP packet to a target device located inside the network.

• (Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability) (CVE -) –

  This vulnerability is a stack-overflow vulnerability in the parsing of CDP packets that contain negotiation for Power over Ethernet ( PoE) request fields in the implementation of CDP in NX-OS. A CDP packet containing too many PoE request fields will trigger this vulnerability on affected devices. An attacker can exploit this vulnerability using a legitimate CDP packet with more power levels than the total number of power levels the switch expects to receive causing the stack overflow. By exploiting this vulnerability, an attacker could gain full control over the switch and the network infrastructure it should enforce, breaking segmentation and allowing for hopping between VLANs.

  (Cisco IOS-XR – CDP Format String Vulnerability) (CVE -) –

This vulnerability is a format string vulnerability in the parsing of certain string fields (Device ID, Port ID, etc.) for incoming CDP packets in the CDP implementation in IOS XR. This particular vulnerability allows an attacker to control the format string parameter passed to the sprintf function. Using certain format string characters, an attacker can write controlled bytes to out-of-bounds stack variables, which essentially leads to a stack overflow. This type of overflow can then lead to remote code execution. Using this vulnerability, an attacker could gain full control over the target router to traverse between network segments and use the router for subsequent attacks.

(Cisco Voice over IP Phone – CDP Remote Code Execution and Denial of Service Vulnerability) (CVE -) –

)

Cisco IP phones useize CDP for management purposes including configuring to which VLAN the phone should be connected to. The phone can also request specific PoE parameters and the switch to which it is connected can enable or disable those parameters using CDP. In this vulnerability, a stack overflow in the parsing function for the Port ID, can be exploited to gain code execution on the phone. While CDP packets are terminated by each CDP-capable switch in the network, an additional bug exists in the IP phone’s implementation of CDP, in which unicast and broadcast CDP packets are also regarded as legitimate CDP packets.

All other Cisco network appliances will only interpret ethernet packets as legitimate CDP packets if they are sent to a designated multicast MAC address. This means that in order to trigger this vulnerability on the IP phones, an attacker can be situated anywhere in the local network, and not limited to sending the maliciously crafted CDP packet directly from within the access switch to which target devices are connected to.

In addition, since broadcast CDP packets are also interpreted as legitimate CDP packets by the IP phones, an attacker could send an ethernet broadcast packet, that will trigger the vulnerability and cause DoS on all vulnerable devices on the same LAN, simultaneously.

Cisco Video Surveillance (Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability) (CVE -) – 3120

)

This vulnerability is a heap overflow vulnerability in the parsing of CDP packets in the implementation of the Cisco Series IP cameras. This heap overflow is caused when an overly large Port ID field is supplied in an incoming CDP packet. The heap overflow contains attacker-controlled bytes, and can be triggered multiple times by an attacker. Moreover, the CDP daemon used in the IP camera is a non-position independent binary, meaning it is not using the ASLR (Address Space Layout Randomization) mitigation. Due to the above conditions, an attacker can exploit this overflow and reach remote code execution.

Denial of Service (DoS) vulnerability

Each of the four vulnerabilities described above impacts a different implementation of CDP as used by various Cisco products. However, the following DoS vulnerability is essentially a similar flaw that was found to affect three separate CDP implementations used by three different Cisco OSs.

(Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability) (CVE -) – )

This vulnerability is triggered by making the CDP daemon of a. router or switch allocate large blocks of memory that cause the process to crash. With this vulnerability, an attacker can cause the CDP process to crash repeatedly, which in turn causes the router to reboot. This means that an attacker can use this vulnerability to create a complete DoS of the target router, and in turn, completely disrupt target networks.

Updates, mitigations and notices Cisco Security Updates

Cisco has provided updates, and these are available on their The Security Advisory page

. )

The individual updates can be found here:

( (CVE – – 5000
(CVE – – 5500 )
• CVE – – CVE – CVE – Securing against CDPwn

  Vulnerabilities that allow an attacker to break through network segmentation and move freely across the network pose a tremendous threat to enterprises. Targets have moved beyond traditional desktops, laptops and servers to devices like IP phones & cameras which contain valuable voice and video data. Current security measures, including endpoint protection, mobile device management, firewalls, and network security solutions are not designed to identify these types of attacks. Enterprises who are currently using network segmentation as their only mechanism to protect Enterprise of Things (EoT) devices from attack, and to protect enterprise computers from being attacked by compromised EoT devices, should rethink their approach.

  These five CDPwn vulnerabilities, while serious, are just the latest in a long series of zero-day RCE vulnerabilities impacting network infrastructure over the past several years. Enterprises should consider augmenting network segmentation with other security mechanisms. Since traditional agent-based security can’t be used with most EoT devices, other approaches such as network-based behavioral monitoring should be considered.

  The Armis agentless device security platform is purpose-built to identify vulnerabilities like CDPwn and will help to:

  • Identify devices that are vulnerable to CDPwn
  • Detect the presence of an exploitation attempt
  • Monitor Cisco switches, routers, IP phones & cameras for behavioral anomalies that could occur post compromise

  Enterprises owning any of the impacted devices listed above should immediately update their software with the updates that Cisco has provided . Until these updates can be completed, enterprises should assume that all impacted devices are exposed to attack, and their behavior should be closely monitored to detect anomalies and other indications of attack.

  (Risk Assessment ) With the discovery of the CDPwn vulnerabilities, organizations from every industry as well as governments are looking for a way to identify which of their devices are impacted by these vulnerabilities. Armis offers a CDPwn Risk Assessment to help organizations looking to understand their exposure .

  Armis agentless device security platform is able to identify Cisco devices that are vulnerable to CDPwn, as well as detect the presence of an exploitation attempt.

  (Read More)