5 Critical Zero-day Vulnerabilities Affected Tens of Millions of Cisco Switches, Routers, IP Phones and Cameras

Researchers discovered 5 critical zero-day vulnerabilities (dubbed CDPwn)  in Cisco Discovery Protocol that are used in multiple Cisco products such as Routers, Switches, IP phones, Cameras and more.

Cisco Discovery Protocol is also known as CDP is the Cisco proprietary Layer 2 (Data Link Layer) network protocol and is virtually implemented in Cisco products including switches, routers, IP phones, and cameras to discover the information about the Cisco equipment.

Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities that affected 10 of millions of users, and it allows attackers to completely take over the vulnerable devices without any sort of user interaction.

One vulnerability cause Denial of Service in Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol implemented target routers, and in turn, completely disrupt target networks.

Affected Devices

Several Enterprise devices are affected by these Zero-day vulnerabilities, and the successful exploitation of these vulnerabilities causes severe damages in tens of millions of enterprise network devices.

List of Vulnerable Devices are Following:

Routers:

• ASR 9000 Series Aggregation Services Routers
• Carrier Routing System (CRS)
• Firepower 1000 Series
• Firepower 2100 Series
• Firepower 4100 Series
• Firepower 9300 Security Appliances
• IOS XRv 9000 Router
• White box routers running Cisco IOS XR

Switches:

• Nexus 1000 Virtual Edge
• Nexus 1000V Switch
• Nexus 3000 Series Switches
• Nexus 5500 Series Switches
• Nexus 5600 Series Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 9000 Series Fabric Switches
• MDS 9000 Series Multilayer Switches
• Network Convergence System (NCS) 1000 Series
• Network Convergence System (NCS) 5000 Series
• Network Convergence System (NCS) 540 Routers
• Network Convergence System (NCS) 5500 Series
• Network Convergence System (NCS) 560 Routers
• Network Convergence System (NCS) 6000 Series
• UCS 6200 Series Fabric Interconnects
• UCS 6300 Series Fabric Interconnects
• UCS 6400 Series Fabric Interconnects

IP Phones:

• IP Conference Phone 7832
• IP Conference Phone 8832
• IP Phone 6800 Series
• IP Phone 7800 Series
• IP Phone 8800 Series
• IP Phone 8851 Series
• Unified IP Conference Phone 8831
• Wireless IP Phone 8821
• Wireless IP Phone 8821-EX

IP Cameras:

• Video Surveillance 8000 Series IP Cameras

4 Remote Code Execution Vulnerabilities

Attackers can exploit all four vulnerabilities that affect a separate implementation of the CDP parsing mechanism by sending maliciously crafted CDP packet to the targeted Cisco devices.

1. Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability

A Stack overflow vulnerability in the parsing of CDP packets that affected the Cisco NX-OS software allows attackers to trigger due to a CDP packet containing too many PoE( Power over Ethernet) request fields.

Attacker causing te Stack overflow by sending a legitimate CDP packet with more power levels than the total number of power levels the switch expects to receive, thus it gives full control over the switch and the network infrastructure.

The vulnerability can be tracked as (CVE-2020-3119).

2. Cisco Voice over IP Phone – CDP RCE and DOS

In this vulnerability, a stack overflow in the parsing function for the Port ID, can be exploited to gain code execution on the phone. 

Attackers trigger this vulnerability in IP Phone by sending the maliciously crafted CDP packet directly from within the access switch to which target devices.

According to Armis research ” since broadcast CDP packets are also interpreted as legitimate CDP packets by the IP phones, an attacker could send an ethernet broadcast packet, that will trigger the vulnerability and cause DoS on all vulnerable devices on the same LAN, simultaneously. “

The vulnerability can be tracked as (CVE-2020-311).

3.Cisco IOS-XR – CDP Format String Vulnerability

A format string vulnerability occurs when parsing of certain string fields such as device ID, port ID for incoming CDP packets in the CDP implementation in IOS XR.

In this case, Attacker to control the format string parameter which leads to stack overflow thus attacker perform remote code execution and gain full control over the target router.

The vulnerability can be tracked as  (CVE-2020-3118).

4.. RCE and DOS Bugs in Cisco Video Surveillance 8000 Series IP Cameras CDP

A Heap overflow vulnerability in the parsing of CDP packets in the implementation Cisco 8000 Series IP cameras let attackers execute remote code by reaching the certain condition.

The vulnerability can be tracked as (CVE-2020-3110).

How Dangerous These Vulnerabilities are:

According to Armis report, Exploitation of the dubbed CDPwn RCE vulnerabilities can lead to:

• Breaking of network segmentation
• Data exfiltration of corporate network traffic traversing through an organization’s switches and routers
• Gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch
• Data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras

Cisco Security Update

Cisco fixed all these vulnerabilities and issue a patch for the affected devices.

• CVE-2020-3120
• CVE-2020-3119
• CVE-2020-3118
• CVE-2020-3111
• CVE-2020-3110

Enterprise users are advised to quickly apply the patch for the affected Cisco products.

Also Read: Authentication Bypass Vulnerability in Cisco REST API Let Hackers Take Control of Cisco Routers Remotely