View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 5, 2020updated 07 Feb 2020 2:04pm

Cisco Discovery Protocol is Riddled with Security Holes: Businesses Urged to Patch Troubling Flaws

Network segmentation ain't what it used to be...

By CBR Staff Writer

Cisco has patched five serious security flaws in various implementations of its Cisco Discovery Protocol (CDP) – vulnerabilities which if exploited could allow the theft of sensitive data flowing through corporate network’s switches and routers.

The zero days were reported to Cisco by California-based Armis, an enterprise IoT security company, which dubbed the find “CDPwn”. The flaws include a bug that would allow an unauthenticated attacker to remotely execute code with root privileges.

CDP is a network protocol that is used to map the presence of other Cisco products in the network. It is implemented in virtually all Cisco products including switches, routers, IP phones and IP cameras; many of these devices “can not work properly without CDP”, and, Armis adds, “do not offer the ability to turn it off.”

Ben Seri, VP of Research at Armis said: “The findings of this research are significant as Layer 2 protocols are the underpinning for all networks, and as an attack surface are an under-researched area and yet are the foundation for the practice of network segmentation. Network segmentation is often utilized as a means to provide security… network segmentation is no longer a guaranteed security strategy.”

Among the products affected by just one of the vulnerabilities are

  • ASR 9000 Series Aggregation Services Routers
  • Carrier Routing System (CRS)
  • IOS XRv 9000 Router
  • Network Convergence System 540, 560, 1000, 5000, 5500 and 6000 Series Routers

This vulnerability also affects third-party white box routers if they have Cisco Discovery Protocol enabled both globally and on at least one interface. Cisco said it has seen no evidence of any of the vulnerabilities being exploited in the wild.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Administrators can determine whether Cisco Discovery Protocol is enabled on a device by using the show running-config | include cdp command in the device CLI. If the command returns at least the following lines, Cisco Discovery Protocol is enabled globally and on at least one interface:

RP/0/RP0/CPU0:ios##show running-config | include cdp
Mon Dec  2 17:00:27.921 UTC
Building configuration...

Four of the new vulnerabilities are critical Remote Code Execution (RCE) vulnerabilities and one is a Denial of Service (DoS) vulnerability.

  • DoS vuln: Cisco FXOS, IOS XR and NX-OS Software CVE-2020-3120: This affects Cisco’ devices running on, Cisco NX-OS, IOS XR, and FXOS software. They are vulnerable to a resource exhaustion denial-of-service condition.
  • RCE vuln: Cisco NX-OS Software CVE-2020-3119): This affects Cisco devices running on Cisco NX-OS software. They are vulnerable to a stack buffer overflow and arbitrary write in the parsing of Power over Ethernet (PoE) type-length-value.
  • Format String vuln: Cisco IOS XR CVE-2020-3118: This affects Cisco’s devices running on Cisco IOS XR software. These are vulnerable to improper validation of string input from fields within a CDP message that could lead to a stack overflow.
  • RCE and DoS: Cisco IP Phone CVE-2020-3111: This impacts Cisco Voice over Internet Protocol (VoIP) phones with CDP enabled. These  are vulnerable to a stack overflow in the parsing of PortID type-length-value (TLV).
  • RCE and DoS: Cisco Video Surveillance 8000 Series IP Cameras CVE-2020-3110

Cisco’s Video Surveillance 8000 Series IP cameras with CDP enabled are vulnerable to a heap overflow in the parsing of DeviceID type-length-value (TLV).

See also: NSA to Microsoft “Have a Massive Zero Day. Can We Be Friends Again?”

The patches come just four weeks after reports of a trio of critical vulnerabilities in the Cisco Data Center Network Manager (DCNM) product could let hackers remotely bypass authentication and waltz into enterprises’ data centre systems, owing to rudimental security errors including hard coded credentials.

See also: Critics Hit Out at Cisco After Security Researcher Finds 120+ Vulnerabilities in a Single Product



Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.