5 Critical Vulnerabilities Found In Cisco Devices

Posting ID 122764
Date Added: 02/6/2020 7:00 AM EST
Date Modified: 02/6/2020 7:24 AM EST
E-ISAC Staff

Description

On August 29th, 2019, a cybersecurity firm, Armis Security, discovered five zero-day vulnerabilities in Cisco Devices collectively referred to as “CDPwn”, which could potentially impact tens of millions of devices. CDPwn consists of five Remote Code Execution vulnerabilities, as well as one Denial of Service vulnerability. CDPwn utilizes the Cisco Discovery Protocol (CDP), which is a layer-2 networking protocol that Cisco devices use to gather information about devices connected to the same network. The CDPwn vulnerabilities could potentially be utilized for the purposes of breaking network segmentation, data exfiltration of corporate network traffic traversing through an organization’s switches and routers, gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch, and data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras. Armis Security relayed information about CDPwn to Cisco soon after discovery.

On February, 5th, 2020, Cisco released patches for devices vulnerable to CDPwn exploitation. Cisco said that they are not aware of any malicious use of the CDPwn as of yet. In order to exploit the vulnerabilities, attackers would first need to establish a foothold inside a target’s network, and then hop from device to device (via CDPwn exploitation) to gain significant access and/or control over a network and potentially execute code or cause denial of service.

Many of the vulnerable Cisco products—such as desk phones, web cameras, and network switches—do not auto-update, and need manual patching to receive protection. Enterprise switches and routers are often behind on patches and updates due to avoidance of network downtime. CDP is implemented in virtually all Cisco products, including switches, routers, IP phones and cameras. All those devices ship from the factory with CDP enabled by default. According to Cisco, over 95 percent of Fortune 500 companies use Cisco Collaboration solutions.

Cisco device owners should look up whether or not their devices are listed by Cisco as being susceptible to CDPwn exploitation by going to Cisco’s website. If they are listed as containing CDPwn vulnerabilities, device owners should immediately download and manually install patches from Cisco’s website. Routine updates are recommended for all Cisco devices in order to avoid possible exploitation by malicious actors relying on utilizing unpatched devices as attack vectors for infiltrating enterprise systems.

The following fix action is recommended for Cisco device owners: please refer to the “Affected Products” section of the attached “CISCO CDP vulnerability for DoS.pdf” to determine whether or not your device(s) are listed as having CDPwn vulnerabilities and, if so, refer to the “Fixed Releases” section, and download and install the patch for the device.  A table containing both the affected devices series and links to their respective vulnerability patch instructions has been included below.

Recommendation: Partners and Client organizations should have cyber security teams determine which affected devices they have and patch accordingly.

Recommendation: More frequent updating of Cisco devices.

Affected Cisco Device(s)

Vulnerability Patch Instructions Link

IP Conference Phone 7832

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96069

IP Conference Phone 7832 with Multiplatform Firmware

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96060

IP Conference Phone 8832

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96071

IP Conference Phone 8832 with Multiplatform Firmware

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96064

IP Phone 6821, 6841, 6851, 6861, 6871 with Multiplatform Firmware

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96065

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96067

IP Phone 7811, 7821, 7841, 7861 Desktop Phones

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96739

IP Phone 7811, 7821, 7841, 7861 Desktop Phones with Multiplatform

Firmware

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96063

IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96066

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96069

IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones with Multiplatform Firmware

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96058

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96059

Unified IP Conference Phone 8831

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96738

Unified IP Conference Phone 8831 for Third-Party Call Control

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96057

Wireless IP Phone 8821 and 8821-EX

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr96070

Firepower 4100 series and Firepower 9300 security appliances

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15083

IOS XR software

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr150824

MDS 9000 Series Multilayer Switches

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073

Nexus 1000 Virtual edge for VMware vSphere

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078

Nexus 1000V Switch for Microsoft Hyper-V

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078

Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr14976

Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15079

Nexus 7000 Series Switches

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073

Nexus 9000 Series Fabric Switches in ACI Mode

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15072

UCS 6200, 6300, and 6400 Series Fabric Interconnects

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15082  

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15111  

Category Type:
Cyber Security
TLP - White
Shared Count (21)
  • Advanced Portal Users Group
  • Canadian CERTs
  • CRISP - Cyber Risk Info Sharing Program
  • DHS - NICC, NCCIC, US-CERT, etc
  • DNG-ISAC
  • DNG-ISAC Portal
  • DOE Complex
  • E-ISAC Administrators
  • E-ISAC AOO Members
  • E-ISAC Staff
  • FBI, LE Fusion
  • FERC - OEIS, etc
  • FS-ISAC
  • International (other ISACs, CERTs)
  • Malware Submissions
  • MS-ISAC
  • Other (inc. local/state commissions)
  • Portal Feedback
  • ThreatConnect Pilot Program
  • Trade Organizations
  • Watch Floor
Change History
  • Admin, 03/06/2020
  • E-ISAC Staff, 02/06/2020
  • E-ISAC Staff, 02/06/2020
  • E-ISAC Staff, 02/06/2020
  • E-ISAC Staff, 02/06/2020
  • E-ISAC Staff, 02/06/2020
  • E-ISAC Staff, 02/06/2020