Recently, multiple vulnerabilities were observed in Feb,2020 on Cisco’s various devices identified by researcher Barak Hadad of Armis. Out of which few were RCE, among which CVE-2020-3119 is one where an unauthenticated, adjacent attacker can arbitrary code execution.
Cisco switches, IP phones, routers and cameras information can be observed using this problematic protocol known as Cisco Discovery Protocol (CDP), a Layer 2 network protocol. A well manipulated CDP packet to the victim device can leverage this vulnerability. To identify sensitive information, nefarious actors over the wild would try to exploit Cisco’s IP phones and cameras. As it is a protocol level exploit, an individual with good knowledge about CDP can target all devices especially IP phones altogether at once.
Cisco adds “an attacker must be in the same broadcast domain as the affected device“.
In first week of February,’20, total five Cisco vulnerabilities, dubbed collectively as CDPwn, have been confirmed out of them four are RCEs namely:
CVE-2020-3110: heap overflow to RCE in IP cameras
CVE-2020-3111: stack overflow RCE/DoS in VoIP
CVE-2020-3118: format string vuln to RCE in IOS-XR
CVE-2020-3119: stack overflow RCE in NX-OS
CVE-2020-3120: DoS in FXOS/IOS XR/NX-OS
Cisco NX-OS Power over Ethernet (PoE) negotiation CDP packet parsing is a stack overflow vulnerability. One can gain full control over the switch , once successfully exploited, and allowing an attacker to hop between VLANs.
Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
Nexus 9000 Series Switches in standalone NX-OS mode
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Cisco recommends, “immediately update their software with the updates that Cisco has provided, enterprises should assume that all impacted devices are exposed to attack.”
Cisco has also confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software.
Note: Cisco Discovery Protocol is enabled on these products by default both globally and on all interfaces.
Administrators can determine whether Cisco Discovery Protocol is enabled on a device by using the
show running-config cdp all | include “cdp enable”
command in the device CLI. If the command returns at least the following lines, Cisco Discovery Protocol is enabled globally and on at least one interface:
nxos# show running-config cdp all | include “cdp enable”
To disable Cisco Discovery Protocol on an interface on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in interface configuration mode, as shown in the following example:
nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z.
nxos(config)# interface Ethernet1/1
nxos(config-if)# no cdp enable
nxos# copy running-config startup-config
Qualys customers can scan their network with QID(s)#316558 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources: