888.624.6737

syse-blog-header

BLOG

Security Alert: Cisco Discovery Protocol Vulnerability

February 07, 2020 | Posted in:

Systems Engineering Alert, IT Security

Recently, Cisco released a series of ‘High Severity’ vulnerabilities that relate to the Cisco Discovery Protocol (CDP), which is Cisco’s proprietary mechanism used by their devices to broadcast identities to one another across private/secured networks. For example, accessories such as VOIP Phones will use CDP to determine which VLAN the switch is using for voice traffic.These vulnerabilities make it potentially possible for an unauthenticated attacker to execute code and gain control over the compromised device, allowing the attacker to change network configurations or take the infrastructure offline, creating a denial of service situation. The major caveat is that an attacker would need access to something directly connected to an exposed device to exploit the vulnerability. An attacker cannot take advantage of the vulnerability from outside the local network. 

A security firm discovered these vulnerabilities, and to date, there have been no reports of exploits in the wild. While the simple solution would be to disable the CDP on the affected devices, this does not take into consideration the impact on the entire network. Most importantly, the types of accessories connecting to your network, such as VOIP phones, would no longer function properly with this service disabled on the connected switches. With that said, devices such as Nexus switches or IOS XE routers, which typically do not have these types of accessories connected directly to them, could have the CDP disabled until the firmware patch is applied. Disabling the service here would effectively limit the impact of an exploit on the essential devices in the network while leaving CDP functional at the access layer where VOIP and IOT devices connect.

Course of Action

At this time, no action is being recommended, as this could disrupt normal operations of your network, and the risk is mitigated by the requirement for local access to execute the exploit.

Below is a list of devices that are potentially impacted by the vulnerabilities explained above, depending on the firmware they are running. Please reach out to your Account Manager if you would like assistance determining if your infrastructure is running on impacted software versions.

Additional details can be found on the Cisco Security Advisories site here.

Cisco NX-OS Software:
  • Nexus 3000 Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
  • Nexus 9000 Series Switches in standalone NX-OS mode
  • UCS 6200 Series Fabric Interconnects
  • UCS 6300 Series Fabric Interconnects
  • UCS 6400 Series Fabric Interconnects
Cisco IOS XR Software (32-bit or 64-bit):
  • ASR 9000 Series Aggregation Services Routers
  • Carrier Routing System (CRS)
  • IOS XRv 9000 Router
  • Network Convergence System (NCS) 540 Series Routers
  • Network Convergence System (NCS) 560 Series Routers
  • Network Convergence System (NCS) 1000 Series Routers
  • Network Convergence System (NCS) 5000 Series Routers
  • Network Convergence System (NCS) 5500 Series Routers
  • Network Convergence System (NCS) 6000 Series Routers
Cisco FXOS, IOS XR (32-bit or 64-bit), or NX-OS Software:
  • ASR 9000 Series Aggregation Services Routers
  • Carrier Routing System (CRS)
  • Firepower 4100 Series
  • Firepower 9300 Security Appliances
  • IOS XRv 9000 Router
  • MDS 9000 Series Multilayer Switches
  • Network Convergence System (NCS) 540 Series Routers
  • Network Convergence System (NCS) 560 Series Routers
  • Network Convergence System (NCS) 1000 Series
  • Network Convergence System (NCS) 5000 Series
  • Network Convergence System (NCS) 5500 Series
  • Network Convergence System (NCS) 6000 Series
  • Nexus 1000 Virtual Edge for VMware vSphere
  • Nexus 1000V Switch for Microsoft Hyper-V
  • Nexus 1000V Switch for VMware vSphere
  • Nexus 3000 Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches
  • Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
  • Nexus 9000 Series Switches in standalone NX-OS mode
  • UCS 6200 Series Fabric Interconnects
  • UCS 6300 Series Fabric Interconnects
  • UCS 6400 Series Fabric Interconnects