Information gathered from: https://www.armis.com/cdpwn/
The white page can be found here: https://go.armis.com/hubfs/White-papers/Armis-CDPwn-WP.pdf
The purpose of this post is not to exploit the vulnerabilities, but instead to just bring awareness.
First I think it is important to understand what is CDP or Cisco Discovery Protocol, before diving into what was discovered.
For starters, Cisco Discovery Protocol is proprietary to Cisco Systems and was created to help discover Cisco devices in the network landscape. The protocol, runs in the Data Link Layer and behaves by sending a packet every minute to the multicast address 01:00:0C:CC:CC:CC, which any Cisco device will be listening on. It is also important to remember that once received, these messages do not get repeatedly sent. For memory's sake, multicast is the IP service of sending a packet to several hosts, compared to broadcast, which is all hosts. The CDP message contains information about the senders operating system version, the IP address, the interface that sent it, the host name, along with many other details. Thus making this an incredible feature when used correctly.
At the time of this post, there are currently five vulnerabilities disclosed, with four being remote code execution and one being denial of service. These vulnerabilities can lead to a break down of network segmentation, data exfiltration, and main-in-the-middle attacks.
The first vulnerability (CVE-2020-3110) is targeted to the Cisco 8000 Series IP cameras. This is a heap-overflow vulnerability, caused by the mismatch of variable types. In short, the way the CDP process works is that it allocates a buffered spaced based on the length of the Port ID that is passed in and copies this Port ID value to the buffer. However, the size of the Port ID is 16-bit and the size of the buffer is 8-bits, meaning that an attacker can overflow the heap and conduct a remote-code-execution attack.
The second vulnerability (CVE-2020-3111) is targeted to Cisco IP phones. This is a stack-overflow vulnerability caused by the lack of validating the length of the Port ID Type Length Value. The information is directly copied to the stack, which if abused can lead to remote code execution and full control of the VoIP phone, as the CDP daemon process is executed with root privileges.
The third vulnerability (CVE-2020-3118) is targeted to the Cisco IOS-XR Software. This is also a stack-overflow vulnerability, that is caused by a lack of validating certain string fields (Device ID, Port ID, Software Version) in the received CDP packets and how the data is formatted by the sprintf function. In short, the CDP packet's information is copied to the current router's memory. Because of this, an attacker can use format tokens such as %s, %x, or %n to print data to out-of-bounds memory locations. If abused, the vulnerability can lead to remote code execution and once again gain full control over the router.
The fourth vulnerability (CVE-2020-3119) is targeted to the Cisco NX-OS Software. Just like the previous, this is also a stack-overflow vulnerability that targets the negotiation of Power Over Ethernet request fields found in CDP. Here an attacker can send a valid CDP packet continuously that contains a higher power request level than the switch expects, causing a stack overflow. This then allows the attacker to gain full control of the switch.
The last vulnerability (CVE-2020-3120) is targeted to all of the previous devices. In short, this is a Denial of Service attack that is caused by repeatedly crashing the CDP daemon of the given device, causing the device to reboot.