Armis has discovered five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction. CDP is a Cisco proprietary Layer 2 (Data Link Layer) network protocol that is used to discover information about locally attached Cisco equipment. CDP is implemented in virtually all Cisco products including switches, routers, IP phones and cameras. All those devices ship from the factory with CDP enabled by default. The CERT Coordination Center has also issued an advisory.
A common use for CDP is for the management of IP phones. For example, CDP allows a switch to allocate one VLAN for voice and another for any PC that is daisy-chained to the phone. The information about these separate VLANs is passed to the IP phone over CDP. Further, many of these devices receive power via Power over Ethernet or PoE. A switch can negotiate how much power to allocate for a certain device that is connected to it via CDP packets.
The discovery, dubbed CDPwn, exposes vulnerabilities which could allow an attacker to fully take over all of these devices. Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities while one is a Denial of Service (DoS) vulnerability. Exploitation of the RCE vulnerabilities can lead to:
The findings of this research are significant as Layer 2 protocols are the underpinning for all networks. As an attack surface, Layer 2 protocols are an under-researched area and yet are the foundation for the practice of network segmentation. Network segmentation is utilized as a means to improve network performance and also to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by any attacker, so network segmentation is no longer a guaranteed security strategy. A detailed technical report regarding all vulnerabilities can be found in the technical white paper (click here).
Armis has disclosed the vulnerabilities to Cisco on August 29, 2019 and has worked with them since to develop and test mitigations and patches.
Armis VP of Research Ben Seri and Yuval Sarel will be discussing these vulnerabilities in detail in a talk at the BluehatIL Conference in Tel Aviv on February 6. In addition, Ben Seri and Barak Hadad will also be speaking about this discovery at the Troopers Conference in Heidelberg, Germany on March 17-18, and at the BlackHat Asia Conference in Singapore on April 3.
When looking deeply at the modern enterprise, one sees large numbers of different devices utilized for a variety of different applications from the front office, to the back office, to the reception lobby, to the factory floor. The variety of devices runs from traditional desktops, laptops and servers, to phones, security cameras, smart TV’s, smart lighting & HVAC, building automation, badge readers, industrial control systems and more. Increasingly, these devices can, and do, connect to the enterprise network. The majority of these new connected devices have no inherent security and cannot take an agent.
The large numbers of these devices, like IP phones, end up in places that attackers find extremely valuable such as; trading floors, boardrooms, the CEO’s conference room, the Resolute desk in the Oval Office in the White House and even the Situation Room. In fact, according to Cisco, 95%+ Fortune 500 companies use Cisco Collaboration solutions.
While enterprises will often use network segmentation as a means to isolate these devices from other parts of the network, CDPwn could be used to break through those boundaries to allow for unauthorized access and compromise.
Although the effect is a full take-over of all of the devices running CDP, the reason, and the setting, in which an attacker would use each of these are different.
Here, an attacker can use the CDP vulnerabilities to break network segmentation. Switches and routers are often regarded as invisible devices on the corporate network, efficiently connecting locations and devices to one another while also acting as traffic cops. However, from an attacker’s perspective – they are a valuable asset, as they contain access to all network segments, and are located in a prime position for data exfiltration.
To make matters worse, switches are responsible for parsing and handling many Layer 2 protocols that are unique to them, and represent a rarely explored attack surface. Although the implementation of these protocols may be rarely explored, any vulnerability found in them has severe implications on the security of both the network appliances that parse them, and the integrity of the networks they serve. Moreover, many of these protocols are enabled by default on all of the switch’s ports, rather than only on its management port, widening the attack surface.
In segmented networks, when an attacker that has gained a foothold, for example, on a device that is part of a network segment or VLAN, the attacker can only gather info, and extend an attack to the other devices that are attached to the same network segment as the attacker. To elevate the attack, an attacker needs to find a way to move laterally to other segments that might contain much more sensitive data. One way to break out of segmentation is to target the network-appliance (the switch) to which the attacker is connected to. The attack surface that is enabled by default in network switches, on all segments served by it, are the Layer-2 protocols used for the operation of the switch itself—and CDP is one of these protocols.
Having taken over the switch, an attacker can move laterally to all network segments served by it.
Gaining control over the switch is useful in other ways. For example, the switch is in a prime position to eavesdrop on network traffic that traverses through the switch, and it can even be used to launch man-in-the-middle attacks on the traffic of devices that traverses through the switch. Additionally, a switch is the ultimate hiding position for an attacker – it is a relatively unsecured device, that doesn’t allow any security agent on it, and an attacker has the ability to launch attacks from it to the devices in the network. An attacker could also hide the malicious traffic he generated from any other network taps that are there to inspect traffic.
Now that a foothold has been gained in the network itself, the attacker can look to move laterally across segments and gain access to valuable devices like IP phones or cameras. Unlike switches, these devices hold sensitive data directly, and the reason to take them over can be a goal of an attacker, and not merely a way to break out of segmentation. IP Phones are affected by a unique vulnerability – similar to the one Armis saw with URGENT/11. The vulnerability can be triggered by a broadcast packet that is sent to all devices in the network, yet will trigger the vulnerability only on the Cisco IP Phones. This means an attacker can take over all Cisco IP phones in a certain network simultaneously.
As mentioned above, the CDPwn vulnerabilities affect tens of millions of devices that are widely deployed in enterprise networks as follows:
A detailed technical report regarding all vulnerabilities can be found in the technical white paper (click here).
CDPwn is a set of five vulnerabilities affecting Cisco equipment ranging from network infrastructure such as switches and routers to enterprise-grade endpoint devices such as IP phones and security cameras. As noted above, the vulnerabilities are classified as critical with four enabling Remote Code Execution (RCE). The fifth is a Denial of Service (DoS) vulnerability which can be utilized to impact the entire operation of a network. The CDPwn vulnerabilities reside in the processing of Cisco Discovery Protocol (CDP) packets and are an example of the effect Layer 2 protocols can have over network security posture.
The following vulnerabilities are critical RCE vulnerabilities, each of which affects a separate implementation of the CDP parsing mechanism, as used by various Cisco products. In order to trigger these vulnerabilities, an attacker simply needs to send a maliciously crafted CDP packet to a target device located inside the network.
Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability (CVE-2020-3119)
This vulnerability is a stack-overflow vulnerability in the parsing of CDP packets that contain negotiation for Power over Ethernet (PoE) request fields in the implementation of CDP in NX-OS. A CDP packet containing too many PoE request fields will trigger this vulnerability on affected devices. An attacker can exploit this vulnerability using a legitimate CDP packet with more power levels than the total number of power levels the switch expects to receive causing the stack overflow. By exploiting this vulnerability, an attacker could gain full control over the switch and the network infrastructure it should enforce, breaking segmentation and allowing for hopping between VLANs.
Cisco IOS-XR – CDP Format String Vulnerability (CVE-2020-3118)
This vulnerability is a format string vulnerability in the parsing of certain string fields (Device ID, Port ID, etc.) for incoming CDP packets in the CDP implementation in IOS XR. This particular vulnerability allows an attacker to control the format string parameter passed to the sprintf function. Using certain format string characters, an attacker can write controlled bytes to out-of-bounds stack variables, which essentially leads to a stack overflow. This type of overflow can then lead to remote code execution. Using this vulnerability, an attacker could gain full control over the target router to traverse between network segments and use the router for subsequent attacks.
Cisco Voice over IP Phone – CDP Remote Code Execution and Denial of Service Vulnerability (CVE-2020-3111)
Cisco IP phones utilize CDP for management purposes including configuring to which VLAN the phone should be connected to. The phone can also request specific PoE parameters and the switch to which it is connected can enable or disable those parameters using CDP. In this vulnerability, a stack overflow in the parsing function for the Port ID, can be exploited to gain code execution on the phone. While CDP packets are terminated by each CDP-capable switch in the network, an additional bug exists in the IP phone’s implementation of CDP, in which unicast and broadcast CDP packets are also regarded as legitimate CDP packets.
All other Cisco network appliances will only interpret ethernet packets as legitimate CDP packets if they are sent to a designated multicast MAC address. This means that in order to trigger this vulnerability on the IP phones, an attacker can be situated anywhere in the local network, and not limited to sending the maliciously crafted CDP packet directly from within the access switch to which target devices are connected to.
In addition, since broadcast CDP packets are also interpreted as legitimate CDP packets by the IP phones, an attacker could send an ethernet broadcast packet, that will trigger the vulnerability and cause DoS on all vulnerable devices on the same LAN, simultaneously.
Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability (CVE-2020-3110)
This vulnerability is a heap overflow vulnerability in the parsing of CDP packets in the implementation of the Cisco 8000 Series IP cameras. This heap overflow is caused when an overly large Port ID field is supplied in an incoming CDP packet. The heap overflow contains attacker-controlled bytes, and can be triggered multiple times by an attacker. Moreover, the CDP daemon used in the IP camera is a non-position independent binary, meaning it is not using the ASLR (Address Space Layout Randomization) mitigation. Due to the above conditions, an attacker can exploit this overflow and reach remote code execution.
Each of the four vulnerabilities described above impacts a different implementation of CDP as used by various Cisco products. However, the following DoS vulnerability is essentially a similar flaw that was found to affect three separate CDP implementations used by three different Cisco OSs.
Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability (CVE-2020-3120)
This vulnerability is triggered by making the CDP daemon of a router or switch allocate large blocks of memory that cause the process to crash. With this vulnerability, an attacker can cause the CDP process to crash repeatedly, which in turn causes the router to reboot. This means that an attacker can use this vulnerability to create a complete DoS of the target router, and in turn, completely disrupt target networks.
Cisco has provided updates, and these are available on their Security Advisory page.
The individual updates can be found here:
Vulnerabilities that allow an attacker to break through network segmentation and move freely across the network pose a tremendous threat to enterprises. Targets have moved beyond traditional desktops, laptops and servers to devices like IP phones & cameras which contain valuable voice and video data. Current security measures, including endpoint protection, mobile device management, firewalls, and network security solutions are not designed to identify these types of attacks. Enterprises who are currently using network segmentation as their only mechanism to protect Enterprise of Things (EoT) devices from attack, and to protect enterprise computers from being attacked by compromised EoT devices, should rethink their approach.
These five CDPwn vulnerabilities, while serious, are just the latest in a long series of zero-day RCE vulnerabilities impacting network infrastructure over the past several years. Enterprises should consider augmenting network segmentation with other security mechanisms. Since traditional agent-based security can’t be used with most EoT devices, other approaches such as network-based behavioral monitoring should be considered.
The Armis agentless device security platform is purpose-built to identify vulnerabilities like CDPwn and will help to:
Enterprises owning any of the impacted devices listed above should immediately update their software with the updates that Cisco has provided. Until these updates can be completed, enterprises should assume that all impacted devices are exposed to attack, and their behavior should be closely monitored to detect anomalies and other indications of attack.
With the discovery of the CDPwn vulnerabilities, organizations from every industry as well as governments are looking for a way to identify which of their devices are impacted by these vulnerabilities. Armis offers a CDPwn Risk Assessment to help organizations looking to understand their exposure.
Armis agentless device security platform is able to identify Cisco devices that are vulnerable to CDPwn, as well as detect the presence of an exploitation attempt.