Several Cisco-manufactured network equipments have been found vulnerable to five new security vulnerabilities that could allow hackers to take complete control over them, and subsequently, over the enterprise networks they power.
Four of the five high-severity bugs are remote code execution issues affecting Cisco routers, switches, and IP cameras, whereas the fifth vulnerability is a denial-of-service issue affecting Cisco IP phones.
Collectively dubbed ‘CDPwn,’ the reported vulnerabilities reside in the various implementations of the Cisco Discovery Protocol (CDP) that comes enabled by default on virtually all Cisco devices and can not be turned OFF.
Cisco Discovery Protocol (CDP) is an administrative protocol that works at Layer 2 of the Internet Protocol (IP) stack. The protocol has been designed to let devices discover information about other locally attached Cisco equipment in the same network.
According to a report Armis research team shared with The Hacker News, the underlying CDP implementations contain buffer overflow and format string vulnerabilities that could let remote attackers on the same network execute arbitrary code on the vulnerable devices by sending malicious unauthenticated CDP packets.
The list of CDPwn Cisco vulnerabilities affecting tens of millions of devices widely deployed in enterprise networks is as follow:
- Cisco NX-OS Stack Overflow in the Power Request TLV (CVE-2020-3119)
- Cisco IOS XR Format String vulnerability in multiple TLVs (CVE-2020-3118)
- Cisco IP Phones Stack Overflow in PortID TLV (CVE-2020-3111)
- Cisco IP Cameras Heap Overflow in DeviceID TLV (CVE-2020-3110)
- Cisco FXOS, IOS XR, and NX-OS Resource Exhaustion in the Addresses TLV (CVE-2020-3120)
To be noted, since CDP is a Data Link layer 2 protocol that can’t cross the boundaries of a local area network, an attacker first needs to be on the same network to leverage CDPwn vulnerabilities.
images from Hacker News