Technical Overview – What is CDPwn?
A detailed technical report regarding all vulnerabilities can be found in the technical white paper (click here).
CDPwn is a set of five vulnerabilities affecting Cisco equipment ranging from network infrastructure such as switches and routers to enterprise-grade endpoint devices such as IP phones and security cameras. As noted above, the vulnerabilities are classified as critical with four enabling Remote Code Execution (RCE). The fifth is a Denial of Service (DoS) vulnerability which can be utilized to impact the entire operation of a network. The CDPwn vulnerabilities reside in the processing of Cisco Discovery Protocol (CDP) packets and are an example of the effect Layer 2 protocols can have over network security posture.
Four vulnerabilities, allowing remote-code-execution
The following vulnerabilities are critical RCE vulnerabilities, each of which affects a separate implementation of the CDP parsing mechanism, as used by various Cisco products. In order to trigger these vulnerabilities, an attacker simply needs to send a maliciously crafted CDP packet to a target device located inside the network.
Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability (CVE-2020-3119)
This vulnerability is a stack-overflow vulnerability in the parsing of CDP packets that contain negotiation for Power over Ethernet (PoE) request fields in the implementation of CDP in NX-OS. A CDP packet containing too many PoE request fields will trigger this vulnerability on affected devices. An attacker can exploit this vulnerability using a legitimate CDP packet with more power levels than the total number of power levels the switch expects to receive causing the stack overflow. By exploiting this vulnerability, an attacker could gain full control over the switch and the network infrastructure it should enforce, breaking segmentation and allowing for hopping between VLANs.
Cisco IOS-XR – CDP Format String Vulnerability (CVE-2020-3118)
This vulnerability is a format string vulnerability in the parsing of certain string fields (Device ID, Port ID, etc.) for incoming CDP packets in the CDP implementation in IOS XR. This particular vulnerability allows an attacker to control the format string parameter passed to the sprintf function. Using certain format string characters, an attacker can write controlled bytes to out-of-bounds stack variables, which essentially leads to a stack overflow. This type of overflow can then lead to remote code execution. Using this vulnerability, an attacker could gain full control over the target router to traverse between network segments and use the router for subsequent attacks.
Cisco Voice over IP Phone – CDP Remote Code Execution and Denial of Service Vulnerability (CVE-2020-3111)
Cisco IP phones utilize CDP for management purposes including configuring to which VLAN the phone should be connected to. The phone can also request specific PoE parameters and the switch to which it is connected can enable or disable those parameters using CDP. In this vulnerability, a stack overflow in the parsing function for the Port ID, can be exploited to gain code execution on the phone. While CDP packets are terminated by each CDP-capable switch in the network, an additional bug exists in the IP phone’s implementation of CDP, in which unicast and broadcast CDP packets are also regarded as legitimate CDP packets.
All other Cisco network appliances will only interpret ethernet packets as legitimate CDP packets if they are sent to a designated multicast MAC address. This means that in order to trigger this vulnerability on the IP phones, an attacker can be situated anywhere in the local network, and not limited to sending the maliciously crafted CDP packet directly from within the access switch to which target devices are connected to.
In addition, since broadcast CDP packets are also interpreted as legitimate CDP packets by the IP phones, an attacker could send an ethernet broadcast packet, that will trigger the vulnerability and cause DoS on all vulnerable devices on the same LAN, simultaneously.
Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability (CVE-2020-3110)
This vulnerability is a heap overflow vulnerability in the parsing of CDP packets in the implementation of the Cisco 8000 Series IP cameras. This heap overflow is caused when an overly large Port ID field is supplied in an incoming CDP packet. The heap overflow contains attacker-controlled bytes, and can be triggered multiple times by an attacker. Moreover, the CDP daemon used in the IP camera is a non-position independent binary, meaning it is not using the ASLR (Address Space Layout Randomization) mitigation. Due to the above conditions, an attacker can exploit this overflow and reach remote code execution.
Denial of Service (DoS) vulnerability
Each of the four vulnerabilities described above impacts a different implementation of CDP as used by various Cisco products. However, the following DoS vulnerability is essentially a similar flaw that was found to affect three separate CDP implementations used by three different Cisco OSs.
Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability (CVE-2020-3120)
This vulnerability is triggered by making the CDP daemon of a router or switch allocate large blocks of memory that cause the process to crash. With this vulnerability, an attacker can cause the CDP process to crash repeatedly, which in turn causes the router to reboot. This means that an attacker can use this vulnerability to create a complete DoS of the target router, and in turn, completely disrupt target networks.