Millions’ of Cisco devices vulnerable to CDPwn flaws

Enterprise networking giant Cisco is expected to release a set of software fixes on Wednesday to address five critical vulnerabilities in devices that rely on the Cisco Discovery Protocol, known to its friends as CDP.

CDP is a proprietary Layer 2 data link protocol for gathering information about networked devices. It’s implemented in almost all of Cisco’s products, including routers, switches, IP phones, and IP cameras.

Armis, the security biz that spotted the aforementioned flaws and privately reported them to Cisco, has dubbed its troublesome quintet CDPwn. The infosec outfit claims tens of millions of devices are vulnerable. CERT is planning to issue an advisory.

«The findings of this research are significant as Layer 2 protocols are the underpinning for all networks, and as an attack surface are an under-researched area and yet are the foundation for the practice of network segmentation,» said said Ben Seri, research veep at Armis, in a statement.

Seri argues his organization’s findings show that network segmentation can’t be relied on to provide security when the network infrastructure itself comes under attack.

Exploiting the CDPwn flaws involves first hacking smart TVs, printers, smart lighting, video cameras, or badge readers that have been put on a segmented portion of a corporate network to isolate them from managed corporate IT gear. The assumption is that identifying and exploiting a vulnerability in one of these typically low-security, unmanaged consumer devices provides a path to exploit the CDPwn flaws and then compromise high-value devices on other network segments by breaking network boundaries.

«Since these devices have no security, an attacker can exploit these devices to get a foothold in the organization,» an Armis video explains. «Then, using CDPwn, the attacker can target the switch with a maliciously crafted CDP packet, triggering a memory corruption on the switch, leading to remote code execution.»

With control of the switch, network eavesdropping and miscreant-in-the-middle attacks become possible. Also, once a foothold has been gained, the intruder can broadcast a packet to take over all Cisco IP phones anywhere on the network. This could allow Doom, for example, to run on an IP phone. Some might consider this an improvement.

Four of the CVE-listed vulnerabilities are described as a critical remote-code execution holes; the fifth is a denial-of-service bug:

  • Cisco FXOS, IOS XR and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability, (CVE-2020-3120)
  • Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability, (CVE-2020-3119)
  • Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability, (CVE-2020-3118)
  • Cisco IP Phone Remote Code Execution and Denial of Service Vulnerability, (CVE-2020-3111)
  • Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability, (CVE-2020-3110)

«Enterprises who are currently using network segmentation as their only mechanism to protect Enterprise of Things (EoT) devices from attack, and to protect enterprise computers from being attacked by compromised EoT devices, should rethink their approach,» Armis explained in its technical whitepaper

Ocularis Recorder VMS_VA Denial of Service Vulnerability

OVERVIEW

Talos is disclosing a denial-of-service vulnerability in the Ocularis Recorder. Ocularis is a video management software (VMS) platform used in a variety of settings, from convenience stores, to city-wide deployments. An attacker can trigger this vulnerability by crafting a malicious network packet that causes a process to terminate, resulting in a denial of service.

DETAILS

An exploitable denial-of-service vulnerability exists in the Ocularis Recorder functionality of Ocularis 5.5.0.242. A specially crafted TCP packet can cause a process to terminate, resulting in denial of service.

The VMS_VA server process is listening for incoming TCP connections on a port in the range of 60801-65535. When a client connects to it and sends any unexpected data, the binary will respond with «Hello World!» The binary has a check to see if the receiving data starts with «dispose.” If it does, the server process kills itself. There is no authentication required for this command to go through. Any attacker with network access to the server application can use this to execute a denial-of-service attack.


Ocularis Recorder VMS_VA Denial of Service Vulnerability

JUNE 5, 2018 CVE NUMBER CVE-2018-3852

Summary

An exploitable denial of service vulnerability exists in the Ocularis Recorder functionality of Ocularis 5.5.0.242. A specially crafted TCP packet can cause a process to terminate resulting in denial of service. An attacker can send a crafted TCP packet to trigger this vulnerability.

Tested Versions

Ocularis Recorder 5.5.0.242

Product URLs

https://onssi.com/

CVSSv3 Score

7.5 — CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-250 — Execution with Unnecessary Privileges

Details

This binary listens for incoming TCP connections. When a client connects to this binary and sends any non expected data, the binary will respond with «Hello World!». If the server receives the dispose command it will terminate the VMS_VA process.

this.tcpListener = new TcpListener(IPAddress.Any, 60801 + ConfigID);
Thread thread = new Thread(new ThreadStart(this.ListenForClients))
{
    Name = "VA CommServer V4 Listener"
};
..........
if (str.StartsWith("dispose"))
{
    this.Running = false;
    bytes = Encoding.Default.GetBytes("Ack!");
}

The binary has a check to see if the receiving data starts with «dispose». If it does the «this.Running» variable will be set to false which results in the process killing itself. There is no authentication required for this command to go through.

Crash Information

N/A

Exploit Proof-of-Concept

$ echo "dispose" | nc -nv 192.168.56.102 60801
192.168.56.102 60801 open
Ack!

Mitigation

This vulnerability can be mitigated by not allowing VMS_VA.exe from accepting inbound connections. It is unclear if this will have any adverse affect on the Ocularis Recorder module as the product documentation explicitly states to allow inbound traffic to this binary.

Timeline

2018-03-05 — Vendor Disclosure
2018-06-04 — Public Release