Description

On August 29th, 2019, a cybersecurity firm, Armis Security, discovered five zero-day vulnerabilities in Cisco Devices collectively referred to as “CDPwn”, which could potentially impact tens of millions of devices. CDPwn consists of five Remote Code Execution vulnerabilities, as well as one Denial of Service vulnerability. CDPwn utilizes the Cisco Discovery Protocol (CDP), which is a layer-2 networking protocol that Cisco devices use to gather information about devices connected to the same network. The CDPwn vulnerabilities could potentially be utilized for the purposes of breaking network segmentation, data exfiltration of corporate network traffic traversing through an organization’s switches and routers, gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch, and data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras. Armis Security relayed information about CDPwn to Cisco soon after discovery.

On February, 5th, 2020, Cisco released patches for devices vulnerable to CDPwn exploitation. Cisco said that they are not aware of any malicious use of the CDPwn as of yet. In order to exploit the vulnerabilities, attackers would first need to establish a foothold inside a target’s network, and then hop from device to device (via CDPwn exploitation) to gain significant access and/or control over a network and potentially execute code or cause denial of service.

Many of the vulnerable Cisco products—such as desk phones, web cameras, and network switches—do not auto-update, and need manual patching to receive protection. Enterprise switches and routers are often behind on patches and updates due to avoidance of network downtime. CDP is implemented in virtually all Cisco products, including switches, routers, IP phones and cameras. All those devices ship from the factory with CDP enabled by default. According to Cisco, over 95 percent of Fortune 500 companies use Cisco Collaboration solutions.

Cisco device owners should look up whether or not their devices are listed by Cisco as being susceptible to CDPwn exploitation by going to Cisco’s website. If they are listed as containing CDPwn vulnerabilities, device owners should immediately download and manually install patches from Cisco’s website. Routine updates are recommended for all Cisco devices in order to avoid possible exploitation by malicious actors relying on utilizing unpatched devices as attack vectors for infiltrating enterprise systems.

The following fix action is recommended for Cisco device owners: please refer to the “Affected Products” section of the attached “CISCO CDP vulnerability for DoS.pdf” to determine whether or not your device(s) are listed as having CDPwn vulnerabilities and, if so, refer to the “Fixed Releases” section, and download and install the patch for the device.  A table containing both the affected devices series and links to their respective vulnerability patch instructions has been included below.

Recommendation: Partners and Client organizations should have cyber security teams determine which affected devices they have and patch accordingly.

Recommendation: More frequent updating of Cisco devices.

Affected Cisco Device(s)	Vulnerability Patch Instructions Link
IP Conference Phone 7832	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96069
IP Conference Phone 7832 with Multiplatform Firmware	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96060
IP Conference Phone 8832	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96071
IP Conference Phone 8832 with Multiplatform Firmware	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96064
IP Phone 6821, 6841, 6851, 6861, 6871 with Multiplatform Firmware	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96065 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96067
IP Phone 7811, 7821, 7841, 7861 Desktop Phones	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96739
IP Phone 7811, 7821, 7841, 7861 Desktop Phones with Multiplatform Firmware	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96063
IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96066 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96069
IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones with Multiplatform Firmware	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96058 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96059
Unified IP Conference Phone 8831	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96738
Unified IP Conference Phone 8831 for Third-Party Call Control	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96057
Wireless IP Phone 8821 and 8821-EX	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96070
Firepower 4100 series and Firepower 9300 security appliances	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15083
IOS XR software	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr150824
MDS 9000 Series Multilayer Switches	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073
Nexus 1000 Virtual edge for VMware vSphere	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078
Nexus 1000V Switch for Microsoft Hyper-V	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr14976
Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15079
Nexus 7000 Series Switches	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073
Nexus 9000 Series Fabric Switches in ACI Mode	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15072
UCS 6200, 6300, and 6400 Series Fabric Interconnects	https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15082   https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15111