skout-blog

Cybersecurity Threat Advisory 0014-20: CDPwn Vulnerabilities Impact Cisco Devices

Advisory Overview

Five vulnerabilities were discovered in Cisco devices, exploiting the Cisco Discovery Protocol. The vulnerabilities are grouped under the name CDPwn and were reported by the cybersecurity firm Armis. Using this exploit, hackers could take control over Cisco routers, switches, cameras, and VoIP Phones. Cisco has released patches to remove the exploit. Currently the attack can only be made from inside a local network.

Technical detail and additional information

What is the threat?

Through Armis’ research, multiple methods of exploitation were successfully demonstrated showing the reality of this threat. The name CDPwn can be broken down into two parts. First, Cisco Discovery Protocol (CDP), a proprietary suite which allows their devices to share information between each other via multicast messages. The other part, “Pwn” which is online terminology for greatly defeating some type of challenge. CDPwn allows threat actors to take total control over high target communication devices such as Cisco routers running the IOS XR operating system, Nexus switches, Cisco Firepower firewalls, Cisco NCS systems, all Cisco 8000 IP cameras, and all Cisco 7800 and 8800 VoIP phones. When unauthorized users employ CDPwn they can do it in five different ways, either remote code executions (RCE) or a denial of service (DoS), giving them the ability to intercept traffic, eavesdrop on communications, change crucial settings, disrupt the network, and crash devices. One of the more important details is that CDP is a much older protocol, at least a couple of decades, and not well-known because it’s not exposed on the internet and works only inside local networks.

The threat ultimately comes down to unpatched Cisco software and devices. Most of these devices listed above make up network environments and so the vulnerabilities that remain present in the network will create an open avenue for misuse, unauthorized activity, damage, and loss of resources. Depending on the type of organization’s profile, size, and network layout, CDPwn can threaten the overall confidentiality, integrity, and availability of the trusted environment.

Why is this noteworthy?

Since Cisco is one of the major technology companies that provides IT products, it’s helpful to be aware that flaws are often present in software and hardware devices which are highly depended upon. Security was not a primary focus when many of these older protocols like CDP were created, which is part of the reason why new threats are always surfacing. Fortunately, there is a shift in security culture among people, processes’ and technology. Research such as this one is bringing topics to light to improve security postures all over and keeping personnel on guard of threats.

What is the exposure or risk?

Organizations that continue to unmanage Internet of Things (IoT) devices such as smart TVs, printers, smart lighting, security cameras, badge readers, which connect to the internet, are creating potential entry points for further illicit activity within the network such as CDPwn. This is the exposure, and the greater risk is that valuable points in a closely connected network without security can be actioned upon by an intruder without restraint. CDPwn would most likely be used by threats already inside a network seeking to increase their standard user privileges and have full access across the network.

What are the recommendations?

Above all, updates and patches are meant to address and fix security issues such as these. Updating and patch management is a learning experience and a highly dependable skill. Other recommendations include the following:

  • Temporary mitigations may be possible in situations where patches cannot be applied as soon as they are available. First, disable the Cisco Discovery Protocol (CDP) to prevent these vulnerabilities from being exploited. If disabling CDP cannot be done by some users, the next best mitigation would be to get visibility into the device’s behavior to monitor and identify unusual activity.
  • Be familiar with default settings on new software, hardware, and IoT devices to see if any changes can be made such as replacing default credentials for a more secure state.
  • Avoid a flat network and infrastructure by segmenting portions such as putting IoT devices in a VLAN away from critical systems or assets.
  • Stop lateral movement in its tracks by implementing two-factor authentication and limiting user account permissions.

References:

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.