UPDATE: In October 2020, the Cisco Product Security Incident Response Team (PSIRT) received reports of attempted exploitation of one of the vulnerabilities described in this support article in the wild, CVE-2020-3118.
Cisco recommends that customers upgrade to a fixed Cisco IOS XR Software release to remediate this vulnerability.
The external report can be found here: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
On February 5, 2020, the Cisco Product Security Incident Response Team (PSIRT) disclosed multiple vulnerabilities in the Cisco Discovery Protocol implementation of several Cisco products, along with software fix information and mitigations where available. These vulnerabilities were found by Armis Security and were referred to them as "CDPwn". Cisco is committed to transparency. More than twenty years ago, we launched the Cisco PSIRT, with the goal of communicating clearly about security vulnerabilities so we can work closely with our customers and partners to help mitigate any impact. We maintain a very open relationship with the security research community, like the team at Armis, and view this collaboration as vital to helping protect our customers’ networks.
Cisco has released software updates that address all of these vulnerabilities. The following table provides a summary list of these vulnerabilities:
CVE ID |
Cisco Security Advisory |
CVSS Base Score |
CVE-2020-3110 |
8.8 |
|
CVE-2020-3111 |
Cisco Voice over Internet Protocol Phone Remote Code Execution and Denial of Service Vulnerability |
8.8 |
CVE-2020-3118 |
Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability |
8.8 |
CVE-2020-3119 |
Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability |
8.8 |
CVE-2020-3120 |
Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability |
7.4 |
The Cisco Discovery Protocol is a Layer 2 protocol that runs on Cisco devices and enables networking applications to learn about directly connected devices nearby. This protocol facilitates the management of Cisco devices by discovering these devices, determining how they are configured, and allowing systems using different network-layer protocols to learn about each other.
A few facts about these vulnerabilities are as follows:
Cisco Discovery Protocol cannot be disabled completely on Cisco UCS Fabric Interconnects.
Cisco Discovery Protocol can be disabled on server ports and appliance ports on Cisco UCS Fabric Interconnects, but it cannot be disabled on Ethernet uplink ports, Ethernet port channel members, FCoE uplink ports or management ports.
The following table summarizes the commands to disable Cisco Discovery Protocol in Cisco FXOS, Cisco IOS-XR, Cisco NX-OS, and Cisco UCS Fabric Interconnect:
Device Operating System |
Disabling Cisco Discovery Protocol on an Interface |
Disabling Cisco Discovery Protocol Globally |
Cisco NX-OS |
Use the no cdp enable command in interface configuration mode. |
Use the no cdp enable command in global configuration mode. |
Cisco FXOS |
Use the disable cdp command in every nw-ctrl-policy that is applied to an interface. |
Not applicable |
Cisco IOS-XR |
Use the no cdp command in interface configuration mode. Cisco Discovery Protocol is disabled by default in Cisco IOS-XR devices. |
Use the no cdp command in global configuration mode. Cisco Discovery Protocol is disabled by default in Cisco IOS-XR devices. |
Cisco IP Camera Firmware |
Disabling Cisco Discovery Protocol may impact device functionality. Customers are encouraged to follow best practices on network segmentation to avoid untrusted devices from sending CDP packets or ultimately upgrade those devices with the available software fixes. Please see the security advisory for details on fixed software availability. (CVE-2020-3110) |
|
Cisco IP Phone Firmware |
Disabling Cisco Discovery Protocol may impact device functionality. Customers are encouraged to follow best practices on network segmentation to avoid untrusted devices from sending CDP packets or ultimately upgrade those devices with the available software fixes. Please see the security advisory for details on fixed software availability. (CVE-2020-3111) |
|
Cisco UCS Fabric Interconnect |
Use the disable cdp command in every nw-ctrl-policy that is applied to an interface. |
Not applicable |
Cisco has released software updates that address all of these vulnerabilities and each security advisory provides detailed information about how to obtain fixed software.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.