In February of 2020, Cisco released a multitude of patches related to Cisco CDP vulnerabilities. If you did not already know CDP stands for Cisco Discovery Protocol, and pretty much every Cisco product ever from switches to routers to phones to security cameras uses it in some way shape or form.
What is CDP?
Cisco Discovery Protocol, CDP, is leveraged by Cisco devices. This is a proprietary Cisco protocol that operates at Layer 2, and allows Cisco devices to exchange information with each other. CDP packets are sent every 60 seconds from devices with the protocol enabled, so it is quite chatty.
Each Cisco device stores this information about their neighbors in a table on the device. If you have ever worked with a Cisco devices chances are you have used the show cdp neighbors command just for fun to see what is out there on your network. As you can guess, this is quite powerful.
About the Cisco CDP Vulnerabilities
Credit for discovering these vulnerabilities goes to Armis, and you can read their paper here.
The vulnerabilities are:
- CVE-2020-3110 – IP Camera remote code execution
- CVE-2020-3111 – IP Phone remote code extinction
- CVE-2020-3118 – IOS XR remote code execution
- CVE-2020-3119 – NX-OS remote code execution
- CVE-2020-3120 – Denial of service of FXOS, IOS XR, and NX-OS devices
These five vulnerabilities can be found in all Cisco customers, as you can see from the operating systems impacted. In fact, CDP is turned on my default. If you are wondering if Cisco UCS servers are impacted, the answer is yes, they are, since the Fabric Interconnect runs NX-OS.
These Cisco CDP vulnerabilities are all rated high impact at the Cisco Security Advisories page. All five vulnerabilities were announced when software updates became available.
There are no workarounds for this vulnerability other than disabling CDP, which may not be an option for some customers. The only way to mitigate this risk is to patch the impacted Cisco devices, which in short, is all of them.
The Impact of Cisco Vulnerabilities
Did I mention almost every Cisco device ever is vulnerable to these attacks?
This is yet another example of why it is so important to have patching process in place in your organization. The ability to rapidly respond to security vulnerabilities is critical, especially when the vulnerabilities are so severe.
While, in theory, everyone agrees with this statement, the fact is it is not always easy to execute. Especially when it comes to core network devices like Cisco routers and switches. After all, who actually likes to touch critical networking equipment that appears to be running fine?
Remember, while things may appear to be running fine, they aren’t when vulnerabilities like this go unmitigated. It is more important than ever for even the networking team to have processes in place to respond to a security incident.
The Rise of the Infrastructure Vulnerability
When many people think of security vulnerabilities, they automatically start thinking of those poor Windows servers out there that are often the victim of ransomware. For some strange reason, many people seem to think of security as a thing for the server people to deal with, since servers are the only things that get hacked, right?
No, very, very wrong. In 2020 alone, we have already seen two major vulnerabilities on the IT infrastructure level. First was Citrix, and now is Cisco. Not to mention all those processor level vulnerabilities out there that impact infrastructure hardware.
Today it is so very important for us infrastructure folks to have a basic understanding of information security principles, so we can keep our infrastructures secure. Remember, anything that runs any type of operating system can be vulnerable, and our infrastructure components are no exception.