Cisco patches a security glitch affecting routers, switches and phones

Cisco has issued fixes for five security glitches that can be found in a wealth of its networked enterprise products – from switches and routers to web cameras and desktop VoIP phones.  

The problems center around vulnerabilities in the implementation of the Cisco Discovery Protocol (CDP) that could let remote attackers take over the products without any user interaction. While no public exploit has been found, an attacker simply needs to send a maliciously crafted CDP packet to a target device located inside the network to take advantage of the weakness, Cisco stated.

Cisco’s CDP is a Layer 2 protocol that runs on Cisco devices and enables networking applications to learn about directly connected devices nearby, according to Cisco. It enables management of Cisco devices by discovering networked devices, determining how they are configured, and letting systems using different network-layer protocols learn about each other, according to Cisco.

The five vulnerabilities, revealed by Armis Security and dubbed CDPwn, are significant because Layer 2 protocols are the underpinning for all networks, Armis wrote in a blog about the problems.

“As an attack surface, Layer 2 protocols are an under-researched area and yet are the foundation for the practice of network segmentation. Network segmentation is utilized as a means to improve network performance and also to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by any attacker, so network segmentation is no longer a guaranteed security strategy,” Armis wrote.

Cisco rated the CDP security threats as “High.” The specific warnings include:

• A CDP vulnerability the Cisco IP Phone could allow an unauthenticated, adjacent attacker to remotely execute code with root privileges or cause a reload of an affected IP phone. Affected products include a variety of Cisco IP Conference Phones model 6xxx to models 8xxx and Wireless IP Phone 8821, 8821-EX.
• A CDP implementation in Cisco NX-OS software could allow an attacker to cause a stack overflow, which could let the attacker execute arbitrary code with administrative privileges on an affected device. Impacted products include Nexus 3000, 5500, 5600, 6000 and 9000 series switches.
• A CDP vulnerability in the Cisco Video Surveillance 8000 Series IP Cameras could allow the attacker to expose the affected IP Camera for remote code execution or cause it to reload unexpectedly, resulting in a denial of service (DoS) state. This vulnerability affects Cisco Video Surveillance 8000 Series IP Cameras with the Cisco Discovery Protocol enabled when they are running a firmware version earlier than 1.0.7, Cisco stated.
• A CDP exposure in Cisco IOS XR software could let an attacker cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Products impacted include ASR 9000 Series Aggregation Services Routers, IOS XRv 9000 Router, Network Convergence System (NCS) 540, 560, 1000, 5000, 6000 Series Routers. Cisco noted, too, that this vulnerability also affects third-party white-box routers if they have CDP enabled both globally and on at least one interface and if they are running a vulnerable release of Cisco IOSR XR Software.
• A CDP weakness in Cisco FXOS Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to exhaust system memory, causing the device to reload. Affected products include a wide variety of Cisco gear from the ASR 9000 Series Aggregation Services Router and NCS Series Routers to the Nexus family and UCS Series.

Armis said it discovered the bugs in August last year as worked with Cisco to develop patches which Cisco says are available for free.