Data centers using Cisco routers with the IOS XR software need to be on alert. Cisco issued a warning last week that attackers were actively exploiting a vulnerability in the Cisco Discovery Protocol, part of a set of vulnerabilities called CDPwn.
Cisco recommended that customers upgrade to a fixed version of the software.
"There are no workarounds that address this vulnerability," the company said in its alert. However, a patch has been available since February.
The vulnerability affects a Layer 2 protocol, meaning the attackers need to be in the same domain.
Network Segmentation at Risk
What's significant about this particular vulnerability is that the Layer 2 protocols are the underpinning for all networks and serve as the foundation of network segmentation.
These kinds of vulnerabilities can put the network infrastructure itself at risk, reducing the effectiveness of network segmentation as a security strategy, according to Ben Seri, VP of research at Armis, the security firm that originally discovered the problem.
If attackers succeed in exploiting CDPwn, they trigger a stack overflow that allows them to execute code with administrative privileges on the targeted devices.
Cisco also suggested that customers that cannot upgrade their software and do not use the Cisco Discovery Protocol feature can disable it.
"CDP is not a protocol that is vital for the network," said Olivier Huynh Van, CSO and co-founder of Gluware, a network management company. "It is mostly there to help monitoring and troubleshooting."
Turning off CDP until the problem can be patched should not affect traffic, he told DCK.
In addition, the specific vulnerability mentioned by Cisco, which affects IOS XR, has limited impact because it's a service provider-grade operating system. "Vulnerabilities on IOS XE would be a much larger problem for enterprise customers, as it would affect edge routers and switches," he said.
However, there are other vulnerabilities in the CDPwn family that affected a broader range of products, and simply shutting off CDP isn't always an option, said Armis's Seri.
"CDP is implemented in virtually all Cisco products including switches, routers, IP phones, and IP cameras," he told DCK. "Many of these devices cannot work properly without CDP and do not offer the ability to turn it off."
The vulnerability that Cisco warned about, CVE-2020-3118, and the four others that are part of CDPwn, impact tens of millions of devices, he said.
And as difficult as it is to patch traditional data centers servers, patching is even more difficult – or even impossible – for newer connected devices, said Seri.
"State actors excel at operating in the shadows," he said.
And they're particularly good at exploiting zero-day vulnerabilities in overlooked attack surfaces, he said. "That allows them to infiltrate secure networks by targeting network appliances such as Cisco routers."
Below the Radar
One of the key elements of basic cybersecurity hygiene is to track what software is running where, so that data centers managers know what they need to patch.
"The patch management strategy must include all software – even the software embedded in physical devices," said Tim Mackey, principal security strategist at Synopsys, a cybersecurity firm.
He said he was not surprised that attackers zeroed in on this particular vulnerability.
"Given the role Cisco devices play in businesses of all sizes, developing an attack for this vulnerability was likely a high priority for malicious groups," he told DCK. "After all, if you have control over the network, then you have the potential to access data outside of normal protections."
Making matters even worse, scanning tools often don't catch these kinds of vulnerabilities, said Doug Britton, CTO at RunSafe Security.
Federal Agencies on Alert
The NSA also warned about this vulnerability last week.
"On many devices, Cisco Discovery Protocol is enabled by default. NSA recommends disabling discovery protocols," the agency said.
Cisco, however, said that the Cisco Discovery Protocol is not enabled by default.
According to the NSA, this vulnerability is being actively exploited by Chinese state-sponsored attackers. Other vulnerabilities were also mentioned in the alert, including ones affecting Pulse Secure VPNs, Citrix Application Delivery Controller and Gateway, Microsoft Exchange Servers, and Windows Servers.
Last week, two other federal agencies, the FBI and the Cybersecurity and Infrastructure Security Agency, also issued alerts about Russian attackers using unpatched vulnerabilities, including vulnerabilities in the Citrix Gateway, Microsoft Exchange Servers, and Windows Servers.