Cisco patches 'CDPwn' bug affecting tens of millions of devices

Cisco has issued software updates for a large number of enterprise devices, after security researchers discovered easily exploitable vulnerabilties in them that allows remote code execution, denial of service attacks and network segmentation traversal.

Security researchers Armis homed in on the Cisco Discovery Protocol (CDP), which is used to keep track on which devices are connected to certain local area networks (LANs).

CDP is Cisco's variant of the standard Link Layer Discover Protocol (LLDP).

It is enabled by default in almost all Cisco devices, which send regular broadcast packets that are parsed and stored by network switches.

Armis found [pdf] that it was possible to exploit several trivial coding flaws in the discovery protocol implementations to create attack packets that trigger crashes and memory corruption in Cisco devices.

An attacker would have to be on the same Layer 2 network broadcast domain as the vulnerabile device to exploit the flaws which Armis dubbed CDPwn.

If that's possible, an attacker could exploit CDP flaws for remote code execution, fully compromise and control devices, man in the middle interception and denial of service attacks, Armis discovered.

Exploiting the CDPwn flaws also allows traversal between virtual LAN segments, the security vendor said.

Cisco has rated the bugs as high impact. They affect a large number of devices, including the Cisco FXOS, IOS XR and NX-OS software that runs on the company's enterprise routers and switches.

On Cisco IOS XR, CDP is disabled by default; however, it is enabled by default on Cisco FXOS and NX-OS both globally and on all network interfaces.

On Cisco IP phones CDPwn can be exploited for remote code execution, ditto on the Video Surveillance 8000 Series IP cameras which can also be crashed by the flaw.

Armis hinted that there could be further vulnerabilities lurking in discovery protocols.

"In addition to the discovered vulnerabilities, it seems the attack surface of Layer 2 protocols, used by network appliances is significant and largely unexplored.

These protocols are in use by a wide array of devices, and are enabled by default in the majority of them," the researchers wrote.