Cisco NX-OS CDP Stack Overflow Remote Code Execution Vulnerability(cisco-sa-20200205-nxos-cdp-rce,CVE-2020-3119)

Summary:

A Stack overflow Vulnerability that leads to RCE was observed in Cisco NX-OS software and products. The vulnerability exists in the cdpd_poe_handle_pwr_tlvs function.

Description:

The Power Request TLV – a CDP TLV frame made for negotiation of Power-over-Ethernet parameters. The Power Request TLV contains a list of requested power specifications. The 16-bit list length is not validated correctly and used to copy the list to a fixed size buffer on the stack and a fixed offset from an additional pointer (a1).

An attacker can exploit this vulnerability using a CDP packet with more than 16 power levels.

The vulnerability exists in the cdpd_poe_handle_pwr_tlvs function. The related vulnerability code is as follows:

___________________________________________________________________________

if ( (signed int)v28 > 0 )

      {

        v35 = (int *)(a3 + 4);

        v9 = 1;

        do

        {

          v37 = v9 – 1;

          v41[v9 – 1] = *v35;

          *(&v40 + v9) = _byteswap_ulong(*(&v40 + v9));

          if ( !sdwrap_hist_event_subtype_check(7536640, 104) )

          {

            *(_DWORD *)v38 = 104;

            snprintf(&s, 0x200u, “pwr_levels_requested[%d] = %d\n”, v37, *(&v40 + v9));

            sdwrap_hist_event(7536640, strlen(&s) + 5, v38);

          }

          if ( sdwrap_chk_int_all(104, 0, 0, 0, 0) )

          {

            v24 = *(&v40 + v9);

            buginf_ftrace(1, &sdwrap_dbg_modname, 0, “pwr_levels_requested[%d] = %d\n”);

          }

          snprintf(v38, 0x3FCu, “1111 pwr_levels_requested[%d] = %d\n”, v37, *(&v40 + v9), v24);

          sdwrap_his_log_event_for_uuid_inst(124, 7536640, 1, 0, strlen(v38) + 1, v38);

          *(_DWORD *)(a1 + 4 * v9 + 1240) = *(&v40 + v9);

          ++v35;

          ++v9;

        }

        while ( v9 != v28 + 1 );

      }

___________________________________________________________________________

Affected Products:

Cisco NX-OS Software

  • Nexus 3000 Series Switches
  • Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mod
  • Nexus 9000 Series Switches in standalone NX-OS mode

Advisory:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce

Mitigation:

Primarily workaround as per advisory, suggests to disable CDP for Cisco NX-OS software vulnerable products.

To disable Cisco Discovery Protocol globally on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in global configuration mode, as shown in the following example:

___________________________________________________________________________

nxos# conf t

Enter configuration commands, one per line. End with CNTL/Z.

nxos(config)# no cdp enable

nxos(config)# end

nxos# copy running-config startup-config

[########################################] 100%

Copy complete.

___________________________________________________________________________

Disable Cisco Discovery Protocol on an Interface on Cisco Nexus Switches That Are Running Cisco NX-OS Software

To disable Cisco Discovery Protocol on an interface on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in interface configuration mode, as shown in the following example:

___________________________________________________________________________

nxos# conf t

Enter configuration commands, one per line. End with CNTL/Z.

nxos(config)# interface Ethernet1/1

nxos(config-if)# no cdp enable

nxos(config-if)# end

nxos# copy running-config startup-config

[########################################] 100%

Copy complete.

___________________________________________________________________________

Qualys customers can scan their network with QID(s)# 316558 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.

References & Sources:

  • https://medium.com/@knownsec404team/cve-2020-3119-cisco-cdp-stack-overflow-analysis-94222797f416
  • https://www.armis.com/cdpwn/
  • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce

Leave a Reply

Your email address will not be published. Required fields are marked *