Arraya Insights | February 18, 2020
Cisco has released patches for not one, not two, not three but five high-risk vulnerabilities affecting potentially tens of millions of its devices. If left unaddressed, these exposures could allow remote attackers to take control of desktop phones, switches, routers, and even security cameras. Despite the massive assortment of possible targets, as of yet, there’s no evidence of cyber criminals exploiting these vulnerabilities in the wild. However, the risk is great enough that both Cisco as well as the government’s Cybersecurity and Infrastructure Security Agency have urged Cisco customers to take immediate action.
Dubbed CDPwn by Armis, the cyber security firm that first brought them to Cisco’s attention, the vulnerabilities exist within the Cisco Discovery Protocol (CDP). This Layer 2 protocol is broadly used among Cisco utilities to foster interactions between networking devices, including those using different network-layer protocols. All an attacker would need to do to take advantage of an unpatched system would be to put together a malicious CDP packet and direct it at a target device.
IT teams should immediately begin patching against:
- a Cisco IP Phone Remote Code Execution and DoS Vulnerability. Essentially, this allows a remote, unauthenticated attacker to execute malicious code by way of CDP with root privileges. The attacker could also use this power to force a phone to reboot leading to a DoS situation. The list of potentially impacted endpoints is long and includes the 7832 and 8832 versions of Cisco’s IP Conference Phone as well as multiple models from the 6800, 7800, and 8800 series of IP Phones.
- a Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability. As a result of this weakness, hackers can execute malicious on vulnerable devices. The list of potentially affected devices includes switches from the Nexus 3000, 5500, and 6000 lines as well as UCS 6200, 6300, and 6400 series of Fabric Interconnects.
- a Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and DoS Vulnerability. Hackers can inject malicious code onto affected cameras or force them to reboot. This vulnerability affects unpatched devices from Cisco’s Video Surveillance 8000 Series of IP cameras.
- a Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability. Similar to the other vulnerabilities, this one will allow attackers to launch malicious code with admin rights, in this case provided the targeted devices are running either the 32-bit or the 64-bit version of Cisco’s IOS XR Software. Affected devices include ASR 9000 Series Aggregation Services Routers, Carrier Routing System (CRS) devices, and multiple models from Cisco’s Network Convergence System series of routers.
- a Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability. By leveraging this weak point, attackers can force an unpatched device running either Cisco’s FXOS, IOS XR, or its NX-OS Software platform to reboot, possibly leading to a DoS scenario. Once again, the list of affected products is sizeable. It includes representatives from the ASR, Firepower, NCS, Nexus, and UCS product families.
Next Steps: Don’t let vulnerabilities sit unpatched
The number of potentially-impacted devices is high and so too is the level of risk organizations face. That makes it imperative for IT to begin patching vulnerable solutions ASAP. However, the size of the task isn’t the only complicating factor. Many of the devices that require updates don’t support automatic patch deployments, putting the onus on IT to secure the solutions by hand.
Need a hand updating your system against the CDPwn vulnerabilities? Or managing your organization’s patching responsibilities in general? Arraya Solutions can help. Our Managed Security team excels at working with customers to ensure their IT environments are patched and ready for whatever the threat landscape has in store. Visit https://www.arrayasolutions.com/contact-us/ to start a conversation with our team now.
We want to hear from you! Leave us a comment on this or any of our blog posts by way of social media. Arraya can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay up to date on our industry insights and unique IT learning opportunities.