Cisco has released patches for several remote code-execution and denial-of-service vulnerabilities that affect a long list of its routers, switches, and IP-connected phones. The vulnerabilities all lie in the Cisco Discovery Protocol (CDP), a proprietary Layer 2 protocol which is enabled by default on many Cisco devices.
There are five vulnerabilities in all, four of which can lead to remote code execution, but in order to exploit any of the bugs, an attacker would need to be on the same broadcast domain as the target device. CDP-enabled devices use the protocol to collect information about other devices on the network, and CDP is enabled in nearly all of Cisco’s network devices. Among the affected devices are some Network Convergence System (NCS) routers, some versions of Nexus switches, the Carrier Routing System router, and several models of the Cisco IP Phone, and Cisco Video Surveillance cameras.
Researchers at security firm Armis discovered the vulnerabilities in CDP and disclosed them to Cisco in August. Cisco issued patches for the flaws, dubbed CDPwn, on Wednesday.
The vulnerabilities affect various versions of the Cisco IOS XR and NX-OS software platforms, as well as some Cisco IP phones and cameras. An attacker who exploited one of the remote code execution flaws could take control of a target device and perhaps gain access to other devices on the network. The attacker could break network segmentation or steal sensitive data from a vulnerable device.
“One way to break out of segmentation is to target the network-appliance (the switch) to which the attacker is connected to. The attack surface that is enabled by default in network switches, on all segments served by it, are the Layer-2 protocols used for the operation of the switch itself—and CDP is one of these protocols,” Armis said in its explanation of the vulnerabilities.
"A switch is the ultimate hiding position for an attacker - it is a relatively unsecured device."
“Gaining control over the switch is useful in other ways. For example, the switch is in a prime position to eavesdrop on network traffic that traverses through the switch, and it can even be used to launch man-in-the-middle attacks on the traffic of devices that traverses through the switch. Additionally, a switch is the ultimate hiding position for an attacker - it is a relatively unsecured device, that doesn’t allow any security agent on it, and an attacker has the ability to launch attacks from it to the devices in the network. An attacker could also hide the malicious traffic he generated from any other network taps that are there to inspect traffic.”
In another scenario, an attacker could use one of the RCE vulnerabilities to gain control of any vulnerable IP phone on the network.
“In this vulnerability, a stack overflow in the parsing function for the Port ID, can be exploited to gain code execution on the phone. While CDP packets are terminated by each CDP-capable switch in the network, an additional bug exists in the IP phone’s implementation of CDP, in which unicast and broadcast CDP packets are also regarded as legitimate CDP packets,” the Armis advisory says.
“All other Cisco network appliances will only interpret ethernet packets as legitimate CDP packets if they are sent to a designated multicast MAC address. This means that in order to trigger this vulnerability on the IP phones, an attacker can be situated anywhere in the local network, and not limited to sending the maliciously crafted CDP packet directly from within the access switch to which target devices are connected to.”
Cisco has released updated software versions for all of the affected products.