beebright - stock.adobe.com
IoT security company Armis on Wednesday disclosed five vulnerabilities the Cisco Discovery Protocol, which Armis said impacts "tens of millions" of Cisco devices.
The vulnerabilities, collectively named 'CDPwn,' include four remote code execution (RCE) vulnerabilities and one denial of service (DoS) vulnerability. The RCE vulnerabilities have the potential to give a hacker free reign to remotely control all devices featuring the Cisco Discovery Protocol (CDP), which includes Cisco IP phones, IP cameras, NCS systems, IOS XR routers and more.
CDP is Cisco's proprietary layer network protocol for discovering information about locally attached Cisco devices, and it's implemented in the vast majority of Cisco products. Armis said many of the devices cannot function properly if CDP is disabled.
Ben Seri, vice president of research at Armis, told SearchSecurity the vulnerabilities range from high 8 CVSS scores (the peak of "high" severity range) to the 9 range (which CVSS refers to as "critical" severity).
Seri described CDPwn's discovery process as "iterative."
"Two of the five vulnerabilities were found in August and then we reported them. Then about three months ago, we discovered the other three vulnerabilities that impacted IP phones and IP cameras, so the disclosure was extended up until now," he said.
Armis has been working with Cisco since August to confirm the vulnerabilities and work through the responsible disclosure process. Though the disclosure process is typically 90 days, it was extended due to new developments.
"Once we discovered it affected the IP phones, we got on the phone with Cisco, they validated the vulnerabilities, and that's when we started working with them on a new date. This would have come out earlier, but we both agreed on a February 5th disclosure date, so they had time to get the patches ready," Armis CMO Michael Parker said.
According to Armis, Cisco notified customers and developed patches and mitigations for the CDPwn vulnerabilities, which were released Wednesday. Armis said enterprises should assume all unpatched devices are open to these attacks. The vendor also encouraged enterprises that use network segmentation as their sole security measure for IoT devices to rethink that approach since attacks using CDPwn can break the segmentation.