Cisco Fixes 5 Vulnerabilities in Cisco Discovery Protocol

The Cisco OEM has fixed five vulnerabilities in Cisco Discovery Protocol (CDP) that could allow remote attackers to take control of many OEM network products without any interaction with the user.

To address five vulnerabilities affecting a multitude of OEM network products – switches and routers, to webcams and office VoIP phones, Cisco has released a range of fixes. The vulnerabilities, which lie in the implementation of the Cisco Discovery Protocol (CDP), could allow remote attackers to take control of the OEM’s products without any interaction with the user. “Even if no public exploitation of these flaws has been reported, an attacker can send a malicious CDP packet to a target device located inside the network to exploit the vulnerability,” said the firm. As the equipment manufacturer also explained, the Layer 2 CDP protocol executed by its equipment allows network applications to learn about devices directly connected nearby. “It helps manage Cisco devices by discovering the devices on the network, determining how they are configured, and letting systems that use different network layer protocols get to know each other,” added the company.

These 5 vulnerabilities, revealed by Armis Security and dubbed CDPwn, are important, “because Layer 2 protocols are used by all networks,” Armis wrote in a blog post dealing with these problems. The security firm also notes that “there is little research on the attack surface offered by the Layer 2 protocols, while they are at the basis of network segmentation which is used to improve performance of the network, but also to ensure security ”. Unfortunately, as this research points out, “the network infrastructure itself is threatened and exploitable by any attacker, so network segmentation is no longer a guaranteed security strategy,” wrote Armis.

Cisco describes the CDP security threats as “high”. The vulnerabilities expose to the following specific risks:

a CDP vulnerability affecting an IP Phone could allow an adjacent unauthenticated attacker to execute remote code with root privileges or to cause the affected IP phone to be reloaded. Several IP conference phones from the 6xxx to 8xxx series are affected, as well as the Wireless IP Phone 8821 and 8821-EX wireless IP phones.

a CDP vulnerability in the NX-OS software could allow an attacker to generate a stack overflow and to execute arbitrary code with administrator privileges on an affected device. Affected are Nexus 3000, 5500, 5600, 6000 and 9000 series switches.

a CDP vulnerability in IP Surveillance Video Surveillance 8000 Series IP Cameras could allow an attacker to execute code remotely on the affected IP camera or to cause an unexpected reload, which would lead to a denial of service (DoS) . “This vulnerability affects Video Surveillance 8000 Series IP cameras with Discovery Protocol enabled when they run a firmware version earlier than version 1.0.7,” said Cisco.

a CDP vulnerability in the IOS XR software could allow an attacker to generate a stack overflow, which could allow the attacker to execute an arbitrary code with administrator privileges on an affected device. Affected are the ASR 9000 Series Aggregation Services Routers, the IOS XRv 9000 Router, the Network Convergence System (NCS) Routers of the 540, 560, 1000, 5000, 6000 Series. Cisco also clarified that this vulnerability also affects routers in a third party white box if CDP is enabled globally and at least on one interface and if they are running an uncorrected version of Cisco IOSR XR software.

a CDP vulnerability in FXOS, IOS XR and NX-OS software could allow an adjacent unauthenticated attacker to exhaust system memory, causing the device to reload. Many Cisco devices are affected, from the ASR 9000 Series Aggregation Services Router and NCS Series routers to Nexus family and UCS Series routers.

The bugs were discovered by Armis in August of last year. The security company has since worked with Cisco to develop patches. These are available for free

Reviewer overview

Cisco Fixes 5 Cisco Discovery Protocol - /10

Summary

The Cisco OEM has fixed five vulnerabilities in Cisco Discovery Protocol (CDP) that could allow remote attackers to take control of many OEM network products without any interaction with the user.

0 Bad!