CDPwn: Taking over millions of Cisco devices with layer 2 zero-days

The attack surface exposed by proprietary layer 2 protocols is rarely explored by the research community, and it contains hidden bugs that have severe implications to the security of the devices that use them, and the network they belong to. We discovered 4 such zero-day vulnerabilities, dubbed CDPwn, in Cisco’s CDP protocol (Cisco Discovery protocol), used by a wide variety of products they produce. Since CDP’s main purpose is to map the presence of other Cisco products in the network, it is enabled by default on all products, and on all ports of each product, widening the potential attack surface.

The first threat posed by the CDPwn vulnerabilities is to Cisco Nexus switches and Cisco IOS-XR Routers. From an attacker’s perspective - these network appliances are a valuable asset, as they withhold access to all network segments, and are located in a prime position for traffic exfiltration. Using the CDPwn vulnerabilities, an unauthenticated attacker can gain full control over the network appliance and move laterally between the VLANs served by it, effectively breaking network segmentation completely.

The second attack scenario affects Cisco VOIP Phones, and Cisco IP Cameras, numbering in the tens of millions in use by users and organizations worldwide. An attacker could use the CDPwn vulnerabilities to simultaneously take over all Cisco VOIP phones and cameras in a network, by sending a specially crafted broadcast packet throughout the network. Once in control of these devices, the attacker can listen in on calls and view the video feeds, creating the ultimate spying tool.

In our talk, we will demo both attack scenarios, demonstrating the full implications of pwning an organization’s enterprise switch, and the frightening potential a single packet can have in taking over Cisco phones and cameras.