Rapid7 Analysis and Guidance: CDPwn (CVE-2020-3118)
Note: There are five different CVEs associated with the CDPwn vulnerability group. Each of them targets a different class of product and differs in severity and exploitation difficulty. All of these vulnerabilities require network adjacency to exploit due to the nature of the CDP protocol itself. Network segmentation is an important defense-in-depth strategy to mitigate the risk of these vulnerabilities. Full details on the five CVEs are available here:
- https://community.cisco.com/t5/security-blogs/insights-about-multiple-vulnerabilities-in-cisco-discovery/ba-p/4023505
- https://www.armis.com/cdpwn/
Rapid7 researchers consider CVE-2020-3118 to be the most severe and important of these vulnerabilities, due to the potential for takeover of core router infrastructure and modification or rerouting of network traffic as a side effect. The remainder of our analysis focuses on CVE-2020-3118, though our guidance reduces risk across the vulnerability family.
Description
A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. Successful exploitation can result in a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device.
Rapid7 analysis
Because CDP traffic is not forwarded across network boundaries, an attacker would need to be on the local area network, directly attached to the vulnerable switch running IOS-XR, in order to successfully exploit this vulnerability. An attacker leveraging this vulnerability would likely either be physically in the building or have compromised a host which is physically in the building. Successful exploitation could create a denial of service, or allow the attacker to bypass network segmentation to access formerly inaccessible environments. Since the affected device is a router, it’s possible that an attacker could use this vantage point to manipulate, intercept, and eavesdrop on traffic.
Guidance
Cisco has issued patches for all five vulnerabilities: https://community.cisco.com/t5/security-blogs/insights-about-multiple-vulnerabilities-in-cisco-discovery/ba-p/4023505
Cisco also recommends disabling the CDP protocol on interfaces wherever it is not needed for network operations. See Cisco’s instructions here on how to check if CDP is enabled and how to disable it on an affected device.
In addition to the CDP protocol, several vendors (including Dell and Netgear) have implemented a compatible protocol called ‘Industry Standard Discovery Protocol’ (ISDP). Due to the high likelihood of related vulnerabilities being discovered or released on the tail of the CDPwn vulnerability disclosures, Rapid7 also recommends disabling the ISD protocol wherever it is not needed for network operations; see your network vendor documentation for details.
