CISCO DISCOVERY PROTOCOL VULNERABILITIES

Priority: High

Executive Summary: Armis (an IoT security company) discovered and disclosed five Cisco zero-day vulnerabilities which have been named (as a collective) ‘CDPwn’.
They were discovered in the Cisco Discovery Protocol (CDP) [1-6] and consist of four remote code execution (RCE) vulnerabilities and a denial of service (DoS) vulnerability. These vulnerabilities impact a large number of Cisco products including routers, switches and firewalls.

CDP is a proprietary data link layer protocol used by Cisco to share information about networked Cisco devices. As the vulnerabilities utilise the data link layer protocol, they underpin the network segmentation used to protect networks (i.e. VLANs). This means, for example, that an attacker would be able to gain access to devices and monitor data from all networks which feed into a compromised switch. This would enable them to perform ‘man-in-the-middle’ attacks to monitor data in transit and compromise connected Cisco IP phones.

The vulnerabilities have not been reported to be exploited in the wild.

Cisco have released fixes for all affected products with ITC’s recommendation being to patch any affected systems as soon as possible.

Detect: ITC recommend reviewing all impacted devices within your infrastructure. This can be achieved through monitoring platforms, your CMS data or vulnerability scanning.

Further information on impacted devices can be found below under ‘Sources’.

For ITC Managed Service customers, the ITC Secure SOC will be contacting customers who have the Managed Vulnerability Intelligence service to offer ad hoc scans to identify affected devices, as well as reviewing devices for Managed LAN, FW, WAN customers to ensure any vulnerable devices are patched.

Affected Products:

Routers:

  • ASR 9000 Series Aggregation Services Routers
  • Carrier Routing System (CRS)
  • Firepower 4100 Series
  • Firepower 9300 Security Appliances
  • IOS XRv 9000 Router
  • White box routers running Cisco IOS XR

Switches:

  • Nexus 1000 Virtual Edge for VMware vSphere
  • Nexus 1000V Switch for Microsoft Hyper-V
  • Nexus 1000V Switch for VMware vSphere
  • Nexus 3000 Series Switches
  • Nexus 5500 Series Switches
  • Nexus 5600 Series Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches
  • Nexus 9000 Series Fabric Switches
  • MDS 9000 Series Multilayer Switches
  • Network Convergence System (NCS) 540 Routers
  • Network Convergence System (NCS) 560 Routers
  • Network Convergence System (NCS) 1000 Series
  • Network Convergence System (NCS) 5000 Series
  • Network Convergence System (NCS) 5500 Series
  • Network Convergence System (NCS) 6000 Series
  • UCS 6200 Series Fabric Interconnects
  • UCS 6300 Series Fabric Interconnects
  • UCS 6400 Series Fabric Interconnects

IP Phones:

  • IP Conference Phone 7832
  • IP Conference Phone 8832
  • IP Phone 6800 Series
  • IP Phone 7800 Series
  • IP Phone 8800 Series
  • IP Phone 8851 Series
  • Unified IP Conference Phone 8831
  • Wireless IP Phone 8821
  • Wireless IP Phone 8821-EX

IP Cameras:

  • Video Surveillance 8000 Series IP Cameras

*Note; The information in the Armis report [1] does conflict with information on the CISCO advisories [2,5], by indicating that Firepower 1000 Series and Firepower 2100 Series are vulnerable, despite CISCO explicitly stating that they are not.

Prevent: Cisco have released security updates for all affected products. These updates should be implemented on affected systems as soon as possible, to ensure they are protected against the exploit before adversaries begin targeting systems in the wild.

If you are unsure about the patch level required for a particular device, we advise going directly to the relevant Cisco Advisory (see Sources) which will provide further details.

React:
The appropriate security updates should be applied to all affected systems immediately.

ITC recommend reviewing all impacted devices within your infrastructure to understand what is impacted. This can be achieved through monitoring platforms or vulnerability scanning. Further information on impacted devices can be found below under ‘Sources’.

For all managed service customers, the ITC SOC will be in contact to run Vulnerability Intelligence scans as well as reviewing Managed Networking devices to ensure any vulnerable devices are patched.

Sources:
[1] https://www.armis.com/cdpwn/
[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos
[3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce
[4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-ipcameras-rce-dos
[5] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce
[6] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-voip-phones-rce-dos