Cisco Router Vulnerability Puts Network Segmentation at Risk

The network vendor is urging customers to patch, as attackers actively exploit the CDPwn vulnerability.

Data centers using Cisco routers with the IOS XR software need to be on alert. Cisco issued a warning last week that attackers were actively exploiting a vulnerability in the Cisco Discovery Protocol, part of a set of vulnerabilities called CDPwn.

Cisco recommended that customers upgrade to a fixed version of the software.

“There are no workarounds that address this vulnerability,” the company said in its alert. However, a patch has been available since February.

The vulnerability affects a Layer 2 protocol, meaning the attackers need to be in the same domain.

What’s significant about this particular vulnerability is that the Layer 2 protocols are the underpinning for all networks and serve as the foundation of network segmentation.

These kinds of vulnerabilities can put the network infrastructure itself at risk, reducing the effectiveness of network segmentation as a security strategy, according to Ben Seri, VP of research at Armis, the security firm that originally discovered the problem.

If attackers succeed in exploiting CDPwn, they trigger a stack overflow that allows them to execute code with administrative privileges on the targeted devices.

Cisco also suggested that customers that cannot upgrade their software and do not use the Cisco Discovery Protocol feature can disable it.

“CDP is not a protocol that is vital for the network,” said Olivier Huynh Van, CSO and co-founder of Gluware, a network management company. “It is mostly there to help monitoring and troubleshooting.”

Turning off CDP until the problem can be patched should not affect traffic, he told DCK.

In addition, the specific vulnerability mentioned by Cisco, which affects IOS XR, has limited impact because it’s a service provider-grade operating system. “Vulnerabilities on IOS XE would be a much larger problem for enterprise customers, as it would affect edge routers and switches,” he said.

However, there are other vulnerabilities in the CDPwn family that affected a broader range of products, and simply shutting off CDP isn’t always an option, said Armis’s Seri.

“CDP is implemented in virtually all Cisco products including switches, routers, IP phones, and IP cameras,” he told DCK. “Many of these devices cannot work properly without CDP and do not offer the ability to turn it off.”

The vulnerability that Cisco warned about, CVE-2020-3118, and the four others that are part of CDPwn, impact tens of millions of devices, he said.

And as difficult as it is to patch traditional data centers servers, patching is even more difficult – or even impossible – for newer connected devices, said Seri.

“State actors excel at operating in the shadows,” he said.

And they’re particularly good at exploiting zero-day vulnerabilities in overlooked attack surfaces, he said. “That allows them to infiltrate secure networks by targeting network appliances such as Cisco routers.”

Leave a Reply