Vulnerabilities Could Allow Attackers to Remotely Take Over Devices such as IP Phones Found Almost Everywhere from Conference Rooms to Trading Floors to Government Offices
Palo Alto, Calif., Feb. 5, 2020 -- Armis, the leading enterprise IoT security company, announced the discovery of five zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP). CDP is a Cisco Proprietary Layer 2 (Data Link Layer) network protocol that is used to discover information about locally attached Cisco equipment, which aids in mapping the presence of other Cisco products in the network. CDP is implemented in virtually all Cisco products including switches, routers, IP phones and IP cameras; many of these devices can not work properly without CDP, and do not offer the ability to turn it off.
According to Cisco, 95%+ Fortune 500 companies use Cisco Collaboration solutions. The vulnerabilities, collectively called CDPwn, could allow an attacker to remotely take over tens of millions of devices. Four of the vulnerabilities are critical Remote Code Execution (RCE) vulnerabilities and one is a Denial of Service (DoS) vulnerability that can lead to:
- Eavesdropping on voice and video data/calls and video feeds from IP phones and cameras, capturing sensitive conversations or images.
- Theft of sensitive corporate data flowing through the corporate network's switches and routers.
- Breaking network segmentation, allowing attackers to move laterally across the corporate networks to other sensitive systems and data.
- Compromise of device communications by leveraging man-in-the-middle attacks to intercept and alter traffic on the corporate switch.
“Increasingly, these devices can, and do, connect to the enterprise network. And large numbers of these devices end up in places that attackers find extremely valuable,” said Ben Seri, VP of Research at Armis. “The findings of this research are significant as Layer 2 protocols are the underpinning for all networks, and as an attack surface are an under-researched area and yet are the foundation for the practice of network segmentation. Network segmentation is often utilized as a means to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by any attacker, so network segmentation is no longer a guaranteed security strategy.”
Over the last few months, Armis has been working in collaboration with Cisco on this matter, to confirm the vulnerabilities, audit their technical details, evaluate the associated risk, and work through the responsible disclosure process. Cisco notified customers and issued patches made available to address the vulnerabilities on February 5, 2020.
Updates and Mitigations
Cisco has provided additional information, software fixes, and mitigation details where available, for affected users. Please see Cisco’s security advisories for complete detail:
- Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability, (CVE-2020-3120)
- Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability, (CVE-2020-3119)
- Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability, (CVE-2020-3118)
- Cisco IP Phone Remote Code Execution and Denial of Service Vulnerability, (CVE-2020-3111)
- Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability, (CVE-2020-3110)
Armis' agentless device security platform is able to identify Cisco devices that are vulnerable to CDPwn and detect the presence of an exploitation attempt.
- Read the Armis Disclosure Report
- Read the Armis Technical White Paper
- Watch the CDPwn Explained video
- Watch the CDPwn Takeover of Cisco Nexus Switch video
- Watch the CDPwn Takeover of Cisco IP Phones video
- Read the CERT/CC advisory
Armis is the leading agentless, enterprise-class security platform to address the new threat landscape of unmanaged and IoT devices. Fortune 1000 companies trust our unique out-of-band sensing technology to discover and analyze all managed, unmanaged, un-agentable and IoT devices—from traditional devices like laptops and smartphones to new unmanaged smart devices like smart TVs, webcams, printers, HVAC systems, industrial control systems, medical devices and more. Armis discovers devices on and off the network, continuously analyzes endpoint behavior to detect threats and attacks, and protects critical information and systems by identifying suspicious or malicious devices and quarantining them. Headquartered in Palo Alto, California, Armis is a privately held company. Follow us on Twitter and LinkedIn.
Corporate Communications at Armis
Katie Garagozzo for Armis