Cisco has issued fixes for five security glitches that can be found in a wealth of its networked enterprise products – from switches and routers to web cameras and desktop VoIP phones.
The problems center around vulnerabilities in the implementation of the Cisco Discovery Protocol (CDP) that could let remote attackers take over the products without any user interaction. While no public exploit has been found, an attacker simply needs to send a maliciously crafted CDP packet to a target device located inside the network to take advantage of the weakness, Cisco stated.
Cisco’s CDP is a Layer 2 protocol that runs on Cisco devices and enables networking applications to learn about directly connected devices nearby, according to Cisco. It enables management of Cisco devices by discovering networked devices, determining how they are configured, and letting systems using different network-layer protocols learn about each other, according to Cisco.
The five vulnerabilities, revealed by Armis Security and dubbed CDPwn, are significant because Layer 2 protocols are the underpinning for all networks, Armis wrote in a blog about the problems.
“As an attack surface, Layer 2 protocols are an under-researched area and yet are the foundation for the practice of network segmentation. Network segmentation is utilized as a means to improve network performance and also to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by any attacker, so network segmentation is no longer a guaranteed security strategy,” Armis wrote.
Cisco rated the CDP security threats as “High.” The specific warnings include:
Armis said it discovered the bugs in August last year as worked with Cisco to develop patches which Cisco says are available for free.
This story, “Cisco patches a security glitch affecting routers, switches and phones” was originally published by
Michael Cooney is a Senior Editor with Network World who has written about the IT world for more than 25 years. He can be reached at firstname.lastname@example.org.
Copyright © 2020 IDG Communications, Inc.