Securing business data

Blog Item

The Security Train - Cisco CDP Vulnerabilities


One of the more interesting areas of exploit development and security research is starting to be focused around well understood but much taken for granted layer 2 data-link type protocols. We see vulnerabilities all the time in the way various ICS protocols are interpreted by related industrial devices such as HMI's PLC's etc and due to the obscurity of some of the older protocols and of course hardware...But on occasion this spills over into the mainstream world of networking as well.

The latest to be caught up in this interesting and under-researched area of exploitation is Cisco and their CDP protocol (Cisco Discovery Protocol), this protocol is pretty handy if your a network admin as it helps network devices to share information with one another such as IP addresses, hostnames, VLAN information, operating system versions and more to map other Cisco products within the network...its no surprise then that because of this penetration testers are also quite keen on the protocol but for very different reasons, it gives us a wealth of information about the network that we can use and abuse to launch further attacks against the network infrastructure.

That's not why we are here though - and with the background information on CDP over, lets take a look at the new discoveries in a bit more detail. Cunningly Named "CDPwn" the announcement contained five new vulnerabilities four of which if executed correctly would result in remote breaches and full control of network devices - think routers, switches, IP phones etc and the remaining one can be used to create a denial of service condition on the target. Whats more, CDP is one of those pesky protocols that's always enabled by default and as such is not exactly an uncommon find in corporate networks all over.

The 5 vulnerabilities found are listed below for reference:

1.Cisco ​NX-OS Stack Overflow in the Power Request TLV​ (CVE-2020-3119)

2.Cisco ​IOS XR Format String vulnerability in multiple TLVs​ (CVE-2020-3118)

3.Cisco ​IP Phones Stack Overflow in PortID TLV​ (CVE-2020-3111)

4.Cisco ​IP Cameras Heap Overflow in DeviceID TLV​ (CVE-2020-3110)And 1 Denial of Service vulnerability:

5.Cisco FXOS, IOS XR and NX-OS ​Resource Exhaustion in the Addresses TLV​ (CVE-2020-3120

These findings are interesting on a number of fronts, layer 2 protocols prop up networks world wide, they help maintain and support network segregation in many cases, vulnerabilities at this layer can threaten to tear down these segregated walls; perhaps its time to start thinking about wider strategies for security rather than a reliance on such segregation's; time and time again on penetration tests we find once this initial barrier has been broken (be it network pivoting after a host compromise, VLAN hopping etc) there is often very little in the way of depth to a security strategy, I have spoken about security layers being much like an onion over the years...which is a reasonably common analogy point being security strategies that are more akin to a ping pong ball (single layer, hollow in the middle and easily squished when something unexpected happens....) really need a better depth of thinking.

One should always think about the "what if". When designing a security strategy, ask yourself "what if the segregation fails", "what if the host firewall fails" - and keep doing so until you reach ground 0, even then....the configuration of individual network services should be designed with the assumption that there are no other elements to the security strategy.

Cisco have patched these vulnerabilities, so if you rely on any of the devices above or related hardware in the series, its time to get devices are one of the most common things to leave out of a patching policy, so now might be a good time to work it back in and justify the updates vs downtime argument.

If you would like to know more about how you may be vulnerable to attack, why not enquire about our free Penetration Testing Training sessions CLICK HERE.


 Andy Swift - Head of Offensive Security Andy Swift is, Head of Offensive Security at CNS Six Degrees
and has written countless articles on information security.
He has a particular speciality in Malware and Virus Analysis. 
Andy holds Global Industrial Cyber Security Professional (GICSP) status,
certifying his expertise in ICS Security Essentials for Engineering,
Operating Technology and Cyber.
Andy Swift - Head of Offensive Security      

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere