cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Insights About Multiple Vulnerabilities in Cisco Discovery Protocol Implementations (CDPwn)

21159
Views
75
Helpful
4
Comments
Cisco Employee

On February 5, 2020, the Cisco Product Security Incident Response Team (PSIRT) disclosed multiple vulnerabilities in the Cisco Discovery Protocol implementation of several Cisco products, along with software fix information and mitigations where available. These vulnerabilities were found by Armis Security and were referred to them as "CDPwn". Cisco is committed to transparency. More than twenty years ago, we launched the Cisco PSIRT, with the goal of communicating clearly about security vulnerabilities so we can work closely with our customers and partners to help mitigate any impact. We maintain a very open relationship with the security research community, like the team at Armis, and view this collaboration as vital to helping protect our customers’ networks.

Cisco has released software updates that address all of these vulnerabilities. The following table provides a summary list of these vulnerabilities:

CVE ID

Cisco Security Advisory

CVSS Base Score

CVE-2020-3110

Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability

8.8

CVE-2020-3111

Cisco Voice over Internet Protocol Phone Remote Code Execution and Denial of Service Vulnerability

8.8

CVE-2020-3118

Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability

8.8

CVE-2020-3119

Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability

8.8

CVE-2020-3120

Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability

7.4

 

Cisco Discovery Protocol Details and Vulnerability Access Vector

The Cisco Discovery Protocol is a Layer 2 protocol that runs on Cisco devices and enables networking applications to learn about directly connected devices nearby. This protocol facilitates the management of Cisco devices by discovering these devices, determining how they are configured, and allowing systems using different network-layer protocols to learn about each other.

A few facts about these vulnerabilities are as follows:

  • Cisco PSIRT is not aware of any malicious use of any of these vulnerabilities.
  • An attacker must be in the same broadcast domain or subnet as the affected device (“Layer-2” adjacent) in order to exploit the vulnerabilities, as shown in the diagram below. These vulnerabilities cannot be exploited from the Internet or from a different broadcast domain/subnet.cdp-vuln-fig-1.png
  • Devices running Cisco IOS and Cisco IOS-XE Software are not affected by any of these vulnerabilities.
  • Cisco ASA, Cisco Firepower 1000 Series, and Cisco Firepower 2100 Series are not affected by any of these vulnerabilities.
  • Cisco FXOS Software, Cisco IP Camera Firmware, Cisco IP Phone Firmware, Cisco IOS-XR Software, Cisco NX-OS Software, and Cisco UCS Fabric Interconnects are affected by one or more of these vulnerabilities.
  • Cisco Discovery Protocol is disabled by default in Cisco IOS XR Software.
  • Cisco Discovery Protocol is enabled by default in Cisco FXOS Software, Cisco IP Camera Firmware, Cisco IP Phone Firmware, Cisco NX-OS Software and on Cisco UCS Fabric Interconnect. In Cisco FXOS Software releases 2.1 and later this vulnerability is exploitable only via the management (mgmt0) port. In these releases Cisco Discovery Protocol is never actually enabled on front-panel ports, even if it is configured. Csco Discovery Protocol can be enabled on front-panel ports in Cisco FXOS Software versions earlier than 2.1 only.
  • Cisco Discovery Protocol cannot be disabled completely on Cisco UCS Fabric Interconnects.

    Cisco Discovery Protocol can be disabled on server ports and appliance ports on Cisco UCS Fabric Interconnects, but it cannot be disabled on Ethernet uplink ports, Ethernet port channel members, FCoE uplink ports or management ports.

  • A well-known security best practice is to disable Cisco Discovery Protocol on all interfaces that are connected to untrusted networks. (A list of security best practices by operating system can be found on Network Infrastructure Device Hardening, Forensics, and Integrity Assurance Procedures) Each security advisory provides detailed information on how to determine if Cisco Discovery Protocol is enabled in your device and how to disable it. For those products that must run CDP for certain functionality, customers are encouraged to follow best practices on network segmentation to avoid untrusted devices from sending CDP packets or ultimately upgrade those devices with the available software fixes.

The following table summarizes the commands to disable Cisco Discovery Protocol in Cisco FXOS, Cisco IOS-XR, Cisco NX-OS, and Cisco UCS Fabric Interconnect:

Device Operating System

Disabling Cisco Discovery Protocol on an Interface

Disabling Cisco Discovery Protocol Globally

Cisco NX-OS

Use the no cdp enable command in interface configuration mode.

Use the no cdp enable command in global configuration mode.

Cisco FXOS

Use the disable cdp command in every nw-ctrl-policy that is applied to an interface.

Not applicable

Cisco IOS-XR

Use the no cdp command in interface configuration mode.

Cisco Discovery Protocol is disabled by default in Cisco IOS-XR devices.

Use the no cdp command in global configuration mode.

Cisco Discovery Protocol is disabled by default in Cisco IOS-XR devices.

Cisco IP Camera Firmware

Disabling Cisco Discovery Protocol may impact device functionality. Customers are encouraged to follow best practices on network segmentation to avoid untrusted devices from sending CDP packets or ultimately upgrade those devices with the available software fixes. Please see the security advisory for details on fixed software availability. (CVE-2020-3110)

Cisco IP Phone Firmware

Disabling Cisco Discovery Protocol may impact device functionality. Customers are encouraged to follow best practices on network segmentation to avoid untrusted devices from sending CDP packets or ultimately upgrade those devices with the available software fixes. Please see the security advisory for details on fixed software availability. (CVE-2020-3111)

Cisco UCS Fabric Interconnect

Use the disable cdp command in every nw-ctrl-policy that is applied to an interface.

Not applicable

 

Cisco has released software updates that address all of these vulnerabilities and each security advisory provides detailed information about how to obtain fixed software.

4 Comments
Beginner

Do you have snug information on whether this affects older,  possibly out of support,  IP phones such as the CP-7940G, CP-7942G, CP-7911G, CP-7970G and CP-7975G?

Cisco Employee

Hi @Ruralgeek ,

 

I have an update for you. The product team evaluated the Cisco 7900 series IP phones and they are not impacted by these vulnerabilities. 

 

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  • IP DECT 6825 with Multiplatform Firmware
  • SPA112 2-Port Phone Adapter
  • SPA122 ATA with Router
  • SPA2102 Phone Adapter with Router
  • SPA232D Multi-Line DECT ATA
  • Small Business SPA300 Series IP Phones
  • Small Business SPA500 Series IP Phones
  • SPA3102 Voice Gateway with Router
  • SPA8000 8-port IP Telephony Gateway
  • SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports
  • Unified IP Phone 7900 Series
Beginner

Thanks,  unfortunately there are likely to still be a lot of your unsupported phones in use,  just like Windows XP was when wannacry broke.  No doubt we'll see more IoT-type issues like this as time goes on. 

Cisco Employee

In this case, we have confirmed that the Cisco 7900 series IP Phones are not impacted by these vulnerabilities. 

 

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  • IP DECT 6825 with Multiplatform Firmware
  • SPA112 2-Port Phone Adapter
  • SPA122 ATA with Router
  • SPA2102 Phone Adapter with Router
  • SPA232D Multi-Line DECT ATA
  • Small Business SPA300 Series IP Phones
  • Small Business SPA500 Series IP Phones
  • SPA3102 Voice Gateway with Router
  • SPA8000 8-port IP Telephony Gateway
  • SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports
  • Unified IP Phone 7900 Series
This widget could not be displayed.