Cisco Patches Critical CDPwn Vulnerabilities

Delaware, USA – February 6, 2020 – Cisco patched five critical vulnerabilities in Cisco Discovery Protocol (CDP) that were collectively named CDPwn, four of them could lead to remote code execution. “CDP is a Cisco proprietary Layer 2 (Data Link Layer) network protocol that is used to discover information about locally attached Cisco equipment. CDP is implemented in virtually all Cisco products including switches, routers, IP phones, and cameras. All those devices ship from the factory with CDP enabled by default,” – says cybersecurity firm Armis, who discovered and reported these vulnerabilities to the vendor. “Exploitation of the RCE vulnerabilities can lead to breaking of network segmentation, data exfiltration of corporate network traffic traversing through an organization’s switches and routers, gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch, data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras.”

CDPwn vulnerabilities were discovered in August 2019, and Armis’ researchers closely worked with Cisco to develop and test mitigations and patches which are available on the Security Advisory page. To exploit CDPwn vulnerabilities, adversaries need to infect a system inside a corporate network, as CDP protocol works inside local networks only. This seems to be reassuring, but there are tens of millions of vulnerable devices in the world, and state-sponsored groups can use them in cyber espionage campaigns in the near future, so it is necessary to check and patch vulnerable devices as soon as possible. You can also use APT Framework rule pack, which adds sophistication to your existing security solutions connecting the dots between low-level SIEM incidents and linking them to high-confidence compromises: https://my.socprime.com/en/integrations/apt-framework