Security researchers today announced details of five vulnerabilities in the widespread Cisco Discovery Protocol (CDP).

The vulnerabilities, identified by IoT cyber security company Armis, have been jointly code-named CDPwn.

They influence CDP, a proprietary Cisco protocol that allows Cisco devices to share information with each other via multicast messages (sprayed in a local network).

The CDP protocol has been implemented in the vast majority of Cisco products and has been used since the mid-90s. It is not a known protocol because it is not displayed on the internet and only works within local networks.

CDPwn bugs can take over Cisco devices

In a report published today, Armis says the CDP protocol is affected by five vulnerabilities, including four “Remote Code Execution” (RCE) issues that could allow an attacker to inherit Cisco equipment that is performing vulnerable implementations of the CDP protocol suite. The fifth is a denial of service (DoS) issue that can be used to crash devices.

The good thing is that attacks cannot be initiated via the internet. As explained above, the CDP protocol only works within local networks, on the Data Link Layer, and is not exposed on the WAN interface of a device – through which most internet attacks originate.

To exploit it, attackers must first gain a foothold in a local network, Ben Seri, VP of Research at Armis, told ZDNet in an email yesterday.

The access point can be anything, such as an IoT device. Hackers can use this input device to send out misplaced CDP messages within a local network and to take over Cisco equipment.

The primary purpose here would be Cisco routers, switches and firewalls, which contain the keys of the entire network of a company and which come standard with CDP enabled.

The CDPwn vulnerabilities – although not usable to remotely break into an organization’s secure network from the Internet – can be used as a way to escalate initial access, take over key points such as routers and switches to remove network segmentation and move laterally within the corporate network to attack other devices.

But CDP is also supplied and is enabled as standard in other Cisco products, such as VoIP telephones and IP cameras. The CDPwn attack can also be used against these devices, Armis said.

Attackers can use CDPwn to take over the vulnerable devices such as telephones and security cameras, install malware, exfiltrate data or even listen to calls and video feeds.

According to Armis, CDPwn affects all Cisco routers with the IOS XR operating system, all Nexus switches, Cisco Firepower firewalls, Cisco NCS systems, all Cisco 8000 IP cameras and all Cisco 7800 and 8800 VOIP telephones.

“Unfortunately, most of the (CDPwn) RCE vulnerabilities that we discovered are simple heap or stack overflow vulnerabilities, so exploitation is fully possible and we were able to achieve RCE in demo exploits that we developed,” Seri told ZDNet .

“Certain of the affected devices have certain restrictive measures to prevent these floods from being abused, but unfortunately these restrictive measures are only partial and can be undermined,” he added.

Patches are available

Seri told ZDNet that Armis contacted Cisco months before about their discoveries. Cisco has, because of its merit, worked on repairing all the vulnerabilities of CDPwn.

The network giant is expected to release patches on its secure web portal later today. The exact list of CDPwn vulnerabilities is:

Cisco FXOS, IOS XR and NX-OS software Vulnerability problem with denial of service from Cisco Discovery Protocol, (CVE-2020-3120)

Cisco NX-OS software Vulnerability issue with external code execution of Cisco Discovery Protocol, (CVE-2020-3119)

Cisco IOS XR Software Vulnerability problem with Cisco’s Discovery Protocol format, (CVE-2020-3118)

Cisco IP Phone Remote Code Execution and Vulnerability Problem, (CVE-2020-3111)

Cisco Video Surveillance 8000 series IP cameras Cisco Discovery Protocol Execution of external code and denial of service vulnerability, (CVE-2020-3110)

But there are also situations where system administrators cannot apply patches as soon as they become available. In these cases there are also some temporary mitigations.

“If possible – disabling the Cisco Discovery Protocol (CDP) should prevent these vulnerabilities from being exploited,” Seri told ZDNet.

“Disabling CDP may not be an option for some business users, so the second best way to reduce the risk of exploiting is to understand device behavior to monitor and identify abnormal activity,” added Seri to it.

“But the best solution is always to patch as quickly as possible.”