Cisco Community
English
Register
ANNOUNCEMENT - Upcoming Changes in the email address of Community email notifications - LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel

Insights About Multiple Vulnerabilities in Cisco Discovery Protocol Implementations (CDPwn)

21159
Views
75
Helpful
4
Comments
Omar Santos
Cisco Employee
Cisco Employee
‎02-05-2020 08:35 AM
‎02-05-2020 08:35 AM

On February 5, 2020, the Cisco Product Security Incident Response Team (PSIRT) disclosed multiple vulnerabilities in the Cisco Discovery Protocol implementation of several Cisco products, along with software fix information and mitigations where available. These vulnerabilities were found by Armis Security and were referred to them as "CDPwn". Cisco is committed to transparency. More than twenty years ago, we launched the Cisco PSIRT, with the goal of communicating clearly about security vulnerabilities so we can work closely with our customers and partners to help mitigate any impact. We maintain a very open relationship with the security research community, like the team at Armis, and view this collaboration as vital to helping protect our customers’ networks.

Cisco has released software updates that address all of these vulnerabilities. The following table provides a summary list of these vulnerabilities:

CVE ID

Cisco Security Advisory

CVSS Base Score

CVE-2020-3110

Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability

8.8

CVE-2020-3111

Cisco Voice over Internet Protocol Phone Remote Code Execution and Denial of Service Vulnerability

8.8

CVE-2020-3118

Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability

8.8

CVE-2020-3119

Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability

8.8

CVE-2020-3120

Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability

7.4

 

Cisco Discovery Protocol Details and Vulnerability Access Vector

The Cisco Discovery Protocol is a Layer 2 protocol that runs on Cisco devices and enables networking applications to learn about directly connected devices nearby. This protocol facilitates the management of Cisco devices by discovering these devices, determining how they are configured, and allowing systems using different network-layer protocols to learn about each other.

A few facts about these vulnerabilities are as follows:

  • Cisco PSIRT is not aware of any malicious use of any of these vulnerabilities.
  • An attacker must be in the same broadcast domain or subnet as the affected device (“Layer-2” adjacent) in order to exploit the vulnerabilities, as shown in the diagram below. These vulnerabilities cannot be exploited from the Internet or from a different broadcast domain/subnet.cdp-vuln-fig-1.png
  • Devices running Cisco IOS and Cisco IOS-XE Software are not affected by any of these vulnerabilities.
  • Cisco ASA, Cisco Firepower 1000 Series, and Cisco Firepower 2100 Series are not affected by any of these vulnerabilities.
  • Cisco FXOS Software, Cisco IP Camera Firmware, Cisco IP Phone Firmware, Cisco IOS-XR Software, Cisco NX-OS Software, and Cisco UCS Fabric Interconnects are affected by one or more of these vulnerabilities.
  • Cisco Discovery Protocol is disabled by default in Cisco IOS XR Software.
  • Cisco Discovery Protocol is enabled by default in Cisco FXOS Software, Cisco IP Camera Firmware, Cisco IP Phone Firmware, Cisco NX-OS Software and on Cisco UCS Fabric Interconnect. In Cisco FXOS Software releases 2.1 and later this vulnerability is exploitable only via the management (mgmt0) port. In these releases Cisco Discovery Protocol is never actually enabled on front-panel ports, even if it is configured. Csco Discovery Protocol can be enabled on front-panel ports in Cisco FXOS Software versions earlier than 2.1 only.

  • Cisco Discovery Protocol cannot be disabled completely on Cisco UCS Fabric Interconnects.

    Cisco Discovery Protocol can be disabled on server ports and appliance ports on Cisco UCS Fabric Interconnects, but it cannot be disabled on Ethernet uplink ports, Ethernet port channel members, FCoE uplink ports or management ports.

  • A well-known security best practice is to disable Cisco Discovery Protocol on all interfaces that are connected to untrusted networks. (A list of security best practices by operating system can be found on Network Infrastructure Device Hardening, Forensics, and Integrity Assurance Procedures) Each security advisory provides detailed information on how to determine if Cisco Discovery Protocol is enabled in your device and how to disable it. For those products that must run CDP for certain functionality, customers are encouraged to follow best practices on network segmentation to avoid untrusted devices from sending CDP packets or ultimately upgrade those devices with the available software fixes.

The following table summarizes the commands to disable Cisco Discovery Protocol in Cisco FXOS, Cisco IOS-XR, Cisco NX-OS, and Cisco UCS Fabric Interconnect:

Device Operating System

Disabling Cisco Discovery Protocol on an Interface

Disabling Cisco Discovery Protocol Globally

Cisco NX-OS

Use the no cdp enable command in interface configuration mode.

Use the no cdp enable command in global configuration mode.

Cisco FXOS

Use the disable cdp command in every nw-ctrl-policy that is applied to an interface.

Not applicable

Cisco IOS-XR

Use the no cdp command in interface configuration mode.

Cisco Discovery Protocol is disabled by default in Cisco IOS-XR devices.

Use the no cdp command in global configuration mode.

Cisco Discovery Protocol is disabled by default in Cisco IOS-XR devices.

Cisco IP Camera Firmware

Disabling Cisco Discovery Protocol may impact device functionality. Customers are encouraged to follow best practices on network segmentation to avoid untrusted devices from sending CDP packets or ultimately upgrade those devices with the available software fixes. Please see the security advisory for details on fixed software availability. (CVE-2020-3110)

Cisco IP Phone Firmware

Disabling Cisco Discovery Protocol may impact device functionality. Customers are encouraged to follow best practices on network segmentation to avoid untrusted devices from sending CDP packets or ultimately upgrade those devices with the available software fixes. Please see the security advisory for details on fixed software availability. (CVE-2020-3111)

Cisco UCS Fabric Interconnect

Use the disable cdp command in every nw-ctrl-policy that is applied to an interface.

Not applicable

 

Cisco has released software updates that address all of these vulnerabilities and each security advisory provides detailed information about how to obtain fixed software.

4 Comments
Ruralgeek
Beginner
Beginner
‎02-11-2020 02:11 AM
‎02-11-2020 02:11 AM

Do you have snug information on whether this affects older,  possibly out of support,  IP phones such as the CP-7940G, CP-7942G, CP-7911G, CP-7970G and CP-7975G?

Omar Santos
Cisco Employee
Cisco Employee
‎02-11-2020 06:18 AM
‎02-11-2020 06:18 AM

Hi @Ruralgeek ,

 

I have an update for you. The product team evaluated the Cisco 7900 series IP phones and they are not impacted by these vulnerabilities. 

 

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  • IP DECT 6825 with Multiplatform Firmware
  • SPA112 2-Port Phone Adapter
  • SPA122 ATA with Router
  • SPA2102 Phone Adapter with Router
  • SPA232D Multi-Line DECT ATA
  • Small Business SPA300 Series IP Phones
  • Small Business SPA500 Series IP Phones
  • SPA3102 Voice Gateway with Router
  • SPA8000 8-port IP Telephony Gateway
  • SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports
  • Unified IP Phone 7900 Series
Ruralgeek
Beginner
Beginner
‎02-11-2020 06:47 AM
‎02-11-2020 06:47 AM

Thanks,  unfortunately there are likely to still be a lot of your unsupported phones in use,  just like Windows XP was when wannacry broke.  No doubt we'll see more IoT-type issues like this as time goes on. 

0 Helpful
Omar Santos
Cisco Employee
Cisco Employee
‎02-11-2020 04:30 PM
‎02-11-2020 04:30 PM

In this case, we have confirmed that the Cisco 7900 series IP Phones are not impacted by these vulnerabilities. 

 

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  • IP DECT 6825 with Multiplatform Firmware
  • SPA112 2-Port Phone Adapter
  • SPA122 ATA with Router
  • SPA2102 Phone Adapter with Router
  • SPA232D Multi-Line DECT ATA
  • Small Business SPA300 Series IP Phones
  • Small Business SPA500 Series IP Phones
  • SPA3102 Voice Gateway with Router
  • SPA8000 8-port IP Telephony Gateway
  • SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports
  • Unified IP Phone 7900 Series
Latest Contents
COVID-19 Anyconnect For ASA-SM
Created by Manwë Sulimo on 07-04-2020 02:41 AM
0
0
0
0
Hi everyoneFirst of all i hope you all are safe from this pandemic.I saw following link about "Emergency COVID-19 AnyConnect License". would you please anyone confirm this procedure is working for multiple context ASA-SM also? and what part numbers s... view more
How to check dot1x authentication details or fail reason?
Created by getaway51 on 07-03-2020 09:48 PM
1
0
1
0
Hi, I tried to find dot1x authentication details or fail reason. Reason was because I can see lots of fail radius logs of MAB but I trying to check the reason why dot1x fail-was it because it wasn't a dot1x device or it was a 3rd party device (w... view more
ANYCONNECT secondID ON CISCO1921
Created by FERTHOFELES on 07-03-2020 08:40 PM
1
0
1
0
Hi everyone, I am in trouble, I have configured a router CISCO1921, I have access and it works good, but now I need to add a second authentication, before I used a Firewall ASA, I would like to replicate it,  my config on ASA :ip local pool... view more
What information is shared when I log into SecureX with Micr...
Created by diddly on 07-03-2020 04:05 PM
0
0
0
0
Question When I log into SecureX, I'm given an option to Sign in with MIcrosoft. What information is shared from my profile with Cisco? Answer 1. If you signed in with your work email, the information shared from your profile is controlled by your or... view more
Cisco Firepower 1000 series sizing guide (number of users or...
Created by Jaturapat on 07-03-2020 10:39 AM
1
0
1
0
Hello Please help me find sizing guide about number of concurrent users or devices for for Cisco Firepower 1000 series. For throughput specification I already find in datasheet. Model- Cisco Firepower 1010- Cisco Firepower 1120- Cisco Firep... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Cisco Community April 2020 Spotlight Award Winners
This widget could not be displayed.

Follow our Social Media Channels