Vulnerability in Cisco Discovery Protocol

2/13/2020

We would like to inform our customers about several critical vulnerabilities in Cisco Discovery Protocol, which an unauthorized attacker can misuse to perform either a Remote Code Execution nebo Denial of Service attack. There are five of these vulnerabilities rated from CVSS 7,4 to 8,8. You can see an identifier for each of the vulnerabilities including their CVSSv3 rating below.

CVE-2020-31207,4
CVE-2020-31198,8
CVE-2020-31188,8
CVE-2020-31118,8
CVE-2020-31108,8

Using specially created packets sent to a vulnerable device, an unauthenticated attacker can exploit the vulnerability and thus can achieve a remote code execution or denial of service. Since CDP is a protocol operating on the L2 level, this is the case when the attacker must be on the same broadcast domain as the vulnerable device (typically a guest Wi-Fi network). Examples of vulnerable devices are some routers, switches, IP phones, and IP cameras using the CDP protocol. A complete list of devices for each individual vulnerability can be found on the Cisco website in the Security Advisory section or by following the link listed at https://kb.cert.org/vuls/id/261385/.

Cisco Discovery Protocol is allowed in default settings on some of the Cisco devices, for example routers with Cisco IOS XR.

Cisco issued a security patch for the majority of vulnerable devices, or alternatively, a workaround can be used, as defined in the appropriate Security Advisory section.

To find out which systems in your network are vulnerable, we recommend executing a control scan for resistance against these vulnerabilities using the Tenable tools – the Advanced Scan policy can be used, and the systems can be scanned for these specific vulnerabilities only. You can find the plug-ins detecting these vulnerabilities here. We further recommend banning the CDP protocol on all your devices and performing a configuration audit and network components hardening.

Information sources:
https://www.armis.com/cdpwn/
https://kb.cert.org/vuls/id/261385/
https://tools.cisco.com/security/center/publicationListing.x
https://www.tenable.com/blog/cdpwn-cisco-discovery-protocol-vulnerabilities-disclosed-by-researchers

Contact:

David Pecl, AEC David Pecl
Senior Security Specialist
AEC a.s.

david.pecl[@]aec.cz