This report is about five major vulnerabilities affecting a multitude of Cisco products. The vulnerabilities have collectively been referred to as CDPwn. These flaws in the device architecture can affect large parts of the network infrastructure, but luckily, there are patches already available from the vendor.
CDPwn as the name may suggest affects CDP (Cisco Discovery Protocol) packets in Cisco network infrastructure. CDP is a protocol developed by Cisco to facilitate data-layer communications via announcement packets. The announcement packets utilize the MAC address through multicast frames sent to the switches and other devices. The protocol is turned on by default in every Cisco product out there.
These vulnerabilities do require remote attackers to be on the local area network, but if they’re successfully exploited there’s a strong chance that further lateral movement and general chaos could occur. Remote attackers would have to enter the network using some other vulnerability to exploit on targets like edge nodes or end-users. From there depending on the Cisco device and the type of environment using specially crafted broadcast or multicast packets is an option for the attacker.
Impact of Cisco Vulnerabilities
Could result in the loss of control over critical pieces of network infrastructure leading to endless possibilities including lateral movement, denial of service, unauthorized changes, data transfers, packet capturing, and more. In particular, the lateral movement can occur through the successful exploitation of multiple CDP-enabled devices by sending announcement packets between switches. Attackers having full control over IP phones and cameras could result in undesired intelligence collection.
Recommendation for Protecting Against CDPwn
It’s highly encouraged that you use the Cisco links below in the supporting documentation section to implement the patches available as soon as possible. Please review the general network architecture conduct below:
IBM X-Force Exchange:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report outlines a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.