CDP has been in use since the 1990s and allows Cisco devices to exchange information with each other (via multicast messages distributed within the local network). CDP is not very famous, and you can rarely hear about it, since it works inside local networks and is almost not supported by third-party manufacturers.
Four out of five vulnerabilities discovered by researchers allow arbitrary code execution, which allows a theoretical attacker to completely take control of Cisco devices that work with vulnerable CDP implementations. Another vulnerability can trigger denial of service (DoS) and can be used to interrupt the normal operation of devices.
Researchers write that all these vulnerabilities, in fact, are associated with heap or stack overflows, and, unfortunately, it is possible and completely easy to exploit them, which was demonstrated by experts using PoC exploits.
Perhaps the only good news is that attacks cannot be carried out via the Internet, because, as mentioned above, CDP works inside local networks, at the data link layer (Data Link layer). That is, to exploit the listed problems, an attacker will first need to penetrate the company’s network.
However, if hackers have already infiltrated the company or organization’s network, they can now use CDP to broadcast specially created packets within the local network and take control of vulnerable Cisco equipment. In such a situation, the main targets of the attackers will definitely be routers, switches, and firewalls, the compromise of which will disastrously affect the entire infrastructure of the company. Even worse, these devices come with CDP enabled by default.
CDP is also supported and enabled by default in other Cisco products, such as VoIP phones and IP cameras. Attacks on CDPwn can be effective against them. Through CDP, attackers will be able to infect phones and CCTV cameras with malware, steal data and even eavesdrop on voice and video calls.
According to Armis experts, the CDPwn problem affects all Cisco routers running IOS XR, all Nexus switches, Cisco Firepower firewalls, Cisco NCS systems, as well as all Cisco 8000 IP cameras and Cisco 7800 and 8800 VOIP phones (full list) vulnerable devices is available in the Armis report ).
Cisco engineers have already developed patches for all identified issues. A complete list of CDPwn vulnerabilities is as follows:
- DoS vulnerability in Cisco FXOS, IOS XR and NX-OS ( CVE-2020-3120 );
- RCE bug in Cisco NX-OS ( CVE-2020-3119 );
- format string issue on Cisco IOS XR ( CVE-2020-3118 );
- RCE and DoS vulnerability for Cisco IP Phone ( CVE-2020-3111 );
- RCE and DoS vulnerability that threatens the Cisco 8000 Series IP Cameras ( CVE-2020-3110 ).
If for some reason the administrator cannot yet install the latest patches, experts strongly recommend disabling CDP at all, which will prevent exploitation of the CDPwn series vulnerabilities.