Monday, November 4, 2024
HomeCisco5 Critical Zero-day Vulnerabilities Affected Tens of Millions of Cisco Switches, Routers,...

5 Critical Zero-day Vulnerabilities Affected Tens of Millions of Cisco Switches, Routers, IP Phones and Cameras

Published on

Malware protection

Researchers discovered 5 critical zero-day vulnerabilities (dubbed CDPwn)  in Cisco Discovery Protocol that are used in multiple Cisco products such as Routers, Switches, IP phones, Cameras and more.

Cisco Discovery Protocol is also known as CDP is the Cisco proprietary Layer 2 (Data Link Layer) network protocol and is virtually implemented in Cisco products including switches, routers, IP phones, and cameras to discover the information about the Cisco equipment.

Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities that affected 10 of millions of users, and it allows attackers to completely take over the vulnerable devices without any sort of user interaction.

- Advertisement - SIEM as a Service

One vulnerability cause Denial of Service in Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol implemented target routers, and in turn, completely disrupt target networks.

Affected Devices

Several Enterprise devices are affected by these Zero-day vulnerabilities, and the successful exploitation of these vulnerabilities causes severe damages in tens of millions of enterprise network devices.

CDP

List of Vulnerable Devices are Following:

Routers:

  • ASR 9000 Series Aggregation Services Routers
  • Carrier Routing System (CRS)
  • Firepower 1000 Series
  • Firepower 2100 Series
  • Firepower 4100 Series
  • Firepower 9300 Security Appliances
  • IOS XRv 9000 Router
  • White box routers running Cisco IOS XR

Switches:

  • Nexus 1000 Virtual Edge
  • Nexus 1000V Switch
  • Nexus 3000 Series Switches
  • Nexus 5500 Series Switches
  • Nexus 5600 Series Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches
  • Nexus 9000 Series Fabric Switches
  • MDS 9000 Series Multilayer Switches
  • Network Convergence System (NCS) 1000 Series
  • Network Convergence System (NCS) 5000 Series
  • Network Convergence System (NCS) 540 Routers
  • Network Convergence System (NCS) 5500 Series
  • Network Convergence System (NCS) 560 Routers
  • Network Convergence System (NCS) 6000 Series
  • UCS 6200 Series Fabric Interconnects
  • UCS 6300 Series Fabric Interconnects
  • UCS 6400 Series Fabric Interconnects

IP Phones:

  • IP Conference Phone 7832
  • IP Conference Phone 8832
  • IP Phone 6800 Series
  • IP Phone 7800 Series
  • IP Phone 8800 Series
  • IP Phone 8851 Series
  • Unified IP Conference Phone 8831
  • Wireless IP Phone 8821
  • Wireless IP Phone 8821-EX

IP Cameras:

  • Video Surveillance 8000 Series IP Cameras

4 Remote Code Execution Vulnerabilities

Attackers can exploit all four vulnerabilities that affect a separate implementation of the CDP parsing mechanism by sending maliciously crafted CDP packet to the targeted Cisco devices.

1. Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability

A Stack overflow vulnerability in the parsing of CDP packets that affected the Cisco NX-OS software allows attackers to trigger due to a CDP packet containing too many PoE( Power over Ethernet) request fields.

Attacker causing te Stack overflow by sending a legitimate CDP packet with more power levels than the total number of power levels the switch expects to receive, thus it gives full control over the switch and the network infrastructure.

The vulnerability can be tracked as (CVE-2020-3119).

2. Cisco Voice over IP Phone – CDP RCE and DOS

In this vulnerability, a stack overflow in the parsing function for the Port ID, can be exploited to gain code execution on the phone. 

Attackers trigger this vulnerability in IP Phone by sending the maliciously crafted CDP packet directly from within the access switch to which target devices.

According to Armis research ” since broadcast CDP packets are also interpreted as legitimate CDP packets by the IP phones, an attacker could send an ethernet broadcast packet, that will trigger the vulnerability and cause DoS on all vulnerable devices on the same LAN, simultaneously. “

The vulnerability can be tracked as (CVE-2020-311).

3.Cisco IOS-XR – CDP Format String Vulnerability

A format string vulnerability occurs when parsing of certain string fields such as device ID, port ID for incoming CDP packets in the CDP implementation in IOS XR.

In this case, Attacker to control the format string parameter which leads to stack overflow thus attacker perform remote code execution and gain full control over the target router.

The vulnerability can be tracked as  (CVE-2020-3118).

4.. RCE and DOS Bugs in Cisco Video Surveillance 8000 Series IP Cameras CDP

A Heap overflow vulnerability in the parsing of CDP packets in the implementation Cisco 8000 Series IP cameras let attackers execute remote code by reaching the certain condition.

The vulnerability can be tracked as (CVE-2020-3110).

How Dangerous These Vulnerabilities are:

According to Armis report, Exploitation of the dubbed CDPwn RCE vulnerabilities can lead to:

  • Breaking of network segmentation
  • Data exfiltration of corporate network traffic traversing through an organization’s switches and routers
  • Gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch
  • Data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras

Cisco Security Update

Cisco fixed all these vulnerabilities and issue a patch for the affected devices.

Enterprise users are advised to quickly apply the patch for the affected Cisco products.

Also Read: Authentication Bypass Vulnerability in Cisco REST API Let Hackers Take Control of Cisco Routers Remotely

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year,...

A Massive Hacking Toolkit From “You Dun” Threat Group Developed To Lauch Massive Cyber Attack

The "You Dun" hacking group exploited vulnerable Zhiyuan OA software using SQL injection, leveraging...

Okta Verify Agent for Windows Flaw Let Attackers Steal User Passwords

A newly discovered vulnerability in Okta's Device Access features for Windows could allow attackers...