Wednesday, December 25, 2024
HomeCisco5 Critical Zero-day Vulnerabilities Affected Tens of Millions of Cisco Switches, Routers,...

5 Critical Zero-day Vulnerabilities Affected Tens of Millions of Cisco Switches, Routers, IP Phones and Cameras

Published on

SIEM as a Service

Researchers discovered 5 critical zero-day vulnerabilities (dubbed CDPwn)  in Cisco Discovery Protocol that are used in multiple Cisco products such as Routers, Switches, IP phones, Cameras and more.

Cisco Discovery Protocol is also known as CDP is the Cisco proprietary Layer 2 (Data Link Layer) network protocol and is virtually implemented in Cisco products including switches, routers, IP phones, and cameras to discover the information about the Cisco equipment.

Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities that affected 10 of millions of users, and it allows attackers to completely take over the vulnerable devices without any sort of user interaction.

- Advertisement - SIEM as a Service

One vulnerability cause Denial of Service in Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol implemented target routers, and in turn, completely disrupt target networks.

Affected Devices

Several Enterprise devices are affected by these Zero-day vulnerabilities, and the successful exploitation of these vulnerabilities causes severe damages in tens of millions of enterprise network devices.

CDP

List of Vulnerable Devices are Following:

Routers:

  • ASR 9000 Series Aggregation Services Routers
  • Carrier Routing System (CRS)
  • Firepower 1000 Series
  • Firepower 2100 Series
  • Firepower 4100 Series
  • Firepower 9300 Security Appliances
  • IOS XRv 9000 Router
  • White box routers running Cisco IOS XR

Switches:

  • Nexus 1000 Virtual Edge
  • Nexus 1000V Switch
  • Nexus 3000 Series Switches
  • Nexus 5500 Series Switches
  • Nexus 5600 Series Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches
  • Nexus 9000 Series Fabric Switches
  • MDS 9000 Series Multilayer Switches
  • Network Convergence System (NCS) 1000 Series
  • Network Convergence System (NCS) 5000 Series
  • Network Convergence System (NCS) 540 Routers
  • Network Convergence System (NCS) 5500 Series
  • Network Convergence System (NCS) 560 Routers
  • Network Convergence System (NCS) 6000 Series
  • UCS 6200 Series Fabric Interconnects
  • UCS 6300 Series Fabric Interconnects
  • UCS 6400 Series Fabric Interconnects

IP Phones:

  • IP Conference Phone 7832
  • IP Conference Phone 8832
  • IP Phone 6800 Series
  • IP Phone 7800 Series
  • IP Phone 8800 Series
  • IP Phone 8851 Series
  • Unified IP Conference Phone 8831
  • Wireless IP Phone 8821
  • Wireless IP Phone 8821-EX

IP Cameras:

  • Video Surveillance 8000 Series IP Cameras

4 Remote Code Execution Vulnerabilities

Attackers can exploit all four vulnerabilities that affect a separate implementation of the CDP parsing mechanism by sending maliciously crafted CDP packet to the targeted Cisco devices.

1. Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability

A Stack overflow vulnerability in the parsing of CDP packets that affected the Cisco NX-OS software allows attackers to trigger due to a CDP packet containing too many PoE( Power over Ethernet) request fields.

Attacker causing te Stack overflow by sending a legitimate CDP packet with more power levels than the total number of power levels the switch expects to receive, thus it gives full control over the switch and the network infrastructure.

The vulnerability can be tracked as (CVE-2020-3119).

2. Cisco Voice over IP Phone – CDP RCE and DOS

In this vulnerability, a stack overflow in the parsing function for the Port ID, can be exploited to gain code execution on the phone. 

Attackers trigger this vulnerability in IP Phone by sending the maliciously crafted CDP packet directly from within the access switch to which target devices.

According to Armis research ” since broadcast CDP packets are also interpreted as legitimate CDP packets by the IP phones, an attacker could send an ethernet broadcast packet, that will trigger the vulnerability and cause DoS on all vulnerable devices on the same LAN, simultaneously. “

The vulnerability can be tracked as (CVE-2020-311).

3.Cisco IOS-XR – CDP Format String Vulnerability

A format string vulnerability occurs when parsing of certain string fields such as device ID, port ID for incoming CDP packets in the CDP implementation in IOS XR.

In this case, Attacker to control the format string parameter which leads to stack overflow thus attacker perform remote code execution and gain full control over the target router.

The vulnerability can be tracked as  (CVE-2020-3118).

4.. RCE and DOS Bugs in Cisco Video Surveillance 8000 Series IP Cameras CDP

A Heap overflow vulnerability in the parsing of CDP packets in the implementation Cisco 8000 Series IP cameras let attackers execute remote code by reaching the certain condition.

The vulnerability can be tracked as (CVE-2020-3110).

How Dangerous These Vulnerabilities are:

According to Armis report, Exploitation of the dubbed CDPwn RCE vulnerabilities can lead to:

  • Breaking of network segmentation
  • Data exfiltration of corporate network traffic traversing through an organization’s switches and routers
  • Gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch
  • Data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras

Cisco Security Update

Cisco fixed all these vulnerabilities and issue a patch for the affected devices.

Enterprise users are advised to quickly apply the patch for the affected Cisco products.

Also Read: Authentication Bypass Vulnerability in Cisco REST API Let Hackers Take Control of Cisco Routers Remotely

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from...

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...