Vulnerabilities Allow An Attacker to Remotely Take-over Devices such as IP Phones Found Almost Everywhere from Conference Rooms to Trading Floors to Government Offices 

Palo Alto, Calif., Feb. 5, 2020 — Armis, the leading enterprise IoT security company, announced the discovery of five zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP). CDP is a Cisco Proprietary Layer 2 (Data Link Layer) network protocol that is used to discover information about locally attached Cisco equipment, which aids in mapping the presence of other Cisco products in the network. CDP is implemented in virtually all Cisco products including switches, routers, IP phones and IP cameras; many of these devices can not work properly without CDP, and do not offer the ability to turn it off.  According to Cisco, 95%+ Fortune 500 companies use Cisco Collaboration solutions. The vulnerabilities, collectively called CDPwn, could allow an attacker to remotely take-over tens of millions of devices.

Four of the vulnerabilities are critical Remote Code Execution (RCE) vulnerabilities and one is a Denial of Service (DoS) vulnerability that can lead to:

  • Eavesdropping on voice and video data/calls and video feeds from IP phones and cameras, capturing sensitive conversations or images.
  • Theft of sensitive corporate data flowing through the corporate network’s switches and routers.
  • Breaking network segmentation, allowing attackers to move laterally across the corporate networks to other sensitive systems and data.
  • Compromise of device communications by leveraging man-in-the-middle attacks to intercept and alter traffic on the corporate switch.

“Increasingly, these devices can, and do, connect to the enterprise network. And large numbers of these devices end up in places that attackers find extremely valuable,” said Ben Seri, VP of Research at Armis. “The findings of this research are significant as Layer 2 protocols are the underpinning for all networks, and as an attack surface are an under-researched area and yet are the foundation for the practice of network segmentation. Network segmentation is often utilized as a means to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by any attacker, so network segmentation is no longer a guaranteed security strategy.”

Over the last few months, Armis has been working in collaboration with Cisco on this matter, to confirm the vulnerabilities, audit their technical details, evaluate the associated risk, and work through the responsible disclosure process. Cisco customers were notified and issued patches to address the vulnerabilities. To the best of both companies’ knowledge, there is no indication that CDPwn vulnerabilities have been exploited in the wild.

Updates and Mitigations
Cisco has provided patches and additional security information about this vulnerability for affected users. Click here to learn more.