Cisco Patches Critical Vulnerabilities Impacting Millions of Devices
Armis found five critical vulnerabilities found in the Cisco Delivery Protocol (CDP) that would allow for remote code execution; CDP is found in Cisco’s IP phones, routers, and switches.
By - Cisco released patches for five critical vulnerabilities found the Cisco Delivery Protocol (CDP) of its IP phones, routers, switches, and cameras that could allow a hacker to remotely take over devices without user interaction. The flaws are found in millions of devices.
First discovered by Armis, researchers explain that CDP is the proprietary Layer 2 (Data Link Layer) network protocol used to discover information on locally connected Cisco equipment. CDP is enabled by default and used by nearly all Cisco products.
Most commonly, CDP is used to manage IP phones.
“CDP allows a switch to allocate one VLAN for voice and another for any PC that is daisy-chained to the phone,” researchers explained. “The information about these separate VLANs is passed to the IP phone over CDP. Further, many of these devices receive power via Power over Ethernet or PoE.”
“A switch can negotiate how much power to allocate for a certain device that is connected to it via CDP packets,” they added.
Flaws in the mechanism expose the devices to a potential takeover. Four of the vulnerabilities are remote code execution and one is a Denial of Service.
If exploited, a hacker could break network segmentation or exfiltrated corporate network traffic data through an organization’s switches and routers. It could also give an attacker access to additional devices using man-in-the-middle attacks by intercepting and altering traffic on the enterprise switch.
A hacker could also exploit the flaw to steal sensitive information such as phone calls from impacted devices, including IP phones and video feeds from IP cameras.
“The findings of this research are significant as Layer 2 protocols are the underpinning for all networks,” researchers wrote. “As an attack surface, Layer 2 protocols are an under-researched area and yet are the foundation for the practice of network segmentation.”
“Network segmentation is utilized as a means to improve network performance and also to provide security,” they added. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by any attacker, so network segmentation is no longer a guaranteed security strategy.”
Armis disclosed the vulnerabilities to Cisco in August 2019. Cisco’s release contains methods IT and IT security leaders can use to determine whether the enterprise is running a device with the CDP vulnerability, as well as mitigation techniques.
There are no workarounds for the vulnerability, but CDP can be disabled to fully close the attack vector or on individual interfaces to reduce the risk.
“When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution,” according to the Cisco advisory.
“In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release,” it added.
