Summary:
A Stack overflow Vulnerability that leads to RCE was observed in Cisco NX-OS software and products. The vulnerability exists in the cdpd_poe_handle_pwr_tlvs function.
Description:
The Power Request TLV – a CDP TLV frame made for negotiation of Power-over-Ethernet parameters. The Power Request TLV contains a list of requested power specifications. The 16-bit list length is not validated correctly and used to copy the list to a fixed size buffer on the stack and a fixed offset from an additional pointer (a1).
An attacker can exploit this vulnerability using a CDP packet with more than 16 power levels.
The vulnerability exists in the cdpd_poe_handle_pwr_tlvs function. The related vulnerability code is as follows:
___________________________________________________________________________
if ( (signed int)v28 > 0 )
{
v35 = (int *)(a3 + 4);
v9 = 1;
do
{
v37 = v9 – 1;
v41[v9 – 1] = *v35;
*(&v40 + v9) = _byteswap_ulong(*(&v40 + v9));
if ( !sdwrap_hist_event_subtype_check(7536640, 104) )
{
*(_DWORD *)v38 = 104;
snprintf(&s, 0x200u, “pwr_levels_requested[%d] = %d\n”, v37, *(&v40 + v9));
sdwrap_hist_event(7536640, strlen(&s) + 5, v38);
}
if ( sdwrap_chk_int_all(104, 0, 0, 0, 0) )
{
v24 = *(&v40 + v9);
buginf_ftrace(1, &sdwrap_dbg_modname, 0, “pwr_levels_requested[%d] = %d\n”);
}
snprintf(v38, 0x3FCu, “1111 pwr_levels_requested[%d] = %d\n”, v37, *(&v40 + v9), v24);
sdwrap_his_log_event_for_uuid_inst(124, 7536640, 1, 0, strlen(v38) + 1, v38);
*(_DWORD *)(a1 + 4 * v9 + 1240) = *(&v40 + v9);
++v35;
++v9;
}
while ( v9 != v28 + 1 );
}
___________________________________________________________________________
Affected Products:
Cisco NX-OS Software
- Nexus 3000 Series Switches
- Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mod
- Nexus 9000 Series Switches in standalone NX-OS mode
Advisory:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce
Mitigation:
Primarily workaround as per advisory, suggests to disable CDP for Cisco NX-OS software vulnerable products.
To disable Cisco Discovery Protocol globally on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in global configuration mode, as shown in the following example:
___________________________________________________________________________
nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z.
nxos(config)# no cdp enable
nxos(config)# end
nxos# copy running-config startup-config
[########################################] 100%
Copy complete.
___________________________________________________________________________
Disable Cisco Discovery Protocol on an Interface on Cisco Nexus Switches That Are Running Cisco NX-OS Software
To disable Cisco Discovery Protocol on an interface on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in interface configuration mode, as shown in the following example:
___________________________________________________________________________
nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z.
nxos(config)# interface Ethernet1/1
nxos(config-if)# no cdp enable
nxos(config-if)# end
nxos# copy running-config startup-config
[########################################] 100%
Copy complete.
___________________________________________________________________________
Qualys customers can scan their network with QID(s)# 316558 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources:
- https://medium.com/@knownsec404team/cve-2020-3119-cisco-cdp-stack-overflow-analysis-94222797f416
- https://www.armis.com/cdpwn/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce