Cisco fixes critical 'CDPwn' vulnerabilities that enabled the remote hijack of millions of routers and switches

CDPwn vulnerabilities affect the proprietary Cisco Discovery Protocol (CDP) enabled by default in almost all Cisco network devices

Critical 'CDPwn' vulnerabilities affect the proprietary Cisco Discovery Protocol (CDP) enabled by default in almost all Cisco network devices

Cisco has released patches to address five critical security vulnerabilities in the Cisco Discovery Protocol (CDP), which could enable attackers to remotely hijack millions of enterprise routers and switches.

The flaws, collectively named 'CDPwn,' were discovered by researchers at security firm Armis in August 2019, who reported the flaws to Cisco. They also worked together with Cisco to evaluate the risks and to produce thoroughly tested patches for the bugs.

According to the researchers, the five vulnerabilities affect CDP enabled by default in almost all Cisco devices, including routers, switches, cameras and IP phones. The protocol enables them to share identification and other information with each other through multicast messages inside local networks.

However, CDP works only at the Data Link Layer inside local networks and is not exposed on the wide-area network interface of a device. This means the attacks launched by exploiting CDPwn vulnerabilities can't be mounted over the internet.

Out of five vulnerabilities, four are remote code execution bugs while the fifth is a denial of service (DoS) flaw.

• CVE-2020-3118 is a format string bug in the IOS XR implementation, which can be used by an attacker to gain control over the target router and then use it for further attacks;
• CVE-2020-3119 is a stack overflow flaw that could enable an attacker to gain control over the switch and network infrastructure, to remove segmentation, and hop between virtual LANs;
• CVE-2020-3110 is a heap overflow flaw affecting Cisco Video Surveillance 8000 Series IP Cameras;
• CVE-2020-3111 is a stack overflow vulnerability affecting the parsing function for the Port ID within IP phones; and,
• CVE-2020-3120 is a DoS bug impacting separate implementations used by the Cisco FXOS, IOS XR and NX-OS Software CDP.

To exploit these bugs, an attacker will first need to gain a foothold inside a local network. Then, they can use the bugs to consolidate their presence and to move deeper inside the network to hack other devices.

After taking over key points such as switches and routers, attackers can start intercepting unencrypted network data or access a company's active directory, which manages authentication for devices and users.

"Enterprises owning any of the impacted devices listed above should immediately update their software with the updates that Cisco has provided," Armis researcherswarned.

"Until these updates can be completed, enterprises should assume that all impacted devices are exposed to attack, and their behaviour should be closely monitored to detect anomalies and other indications of attack."