Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0424.10
Cisco NX-OS Software Cisco Discovery Protocol Remote Code
Execution Vulnerability
21 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco NX-OS
Cisco IOS XR
Cisco FXOS
Cisco IP Phone
Cisco Video Surveillance 8000 Series IP Camera
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-3120 CVE-2020-3119 CVE-2020-3118
CVE-2020-3111 CVE-2020-3110
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-voip-phones-rce-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-ipcameras-rce-dos
Revision History: October 21 2020: Vendor updated cisco-sa-20200205-iosxr-cdp-rce confirming exploits observed
February 25 2020: Vendor updated fixed software details in advisory cisco-sa-20200205-fxnxos-iosxr-cdp-dos
February 21 2020: Vendor updated advisory: cisco-sa-20200205-voip-phones-rce-dos
February 17 2020: Vendor updated advisories cisco-sa-20200205-nxos-cdp-rce and cisco-sa-20200205-voip-phones-rce-dos - re list of not vulnerable products and available fixes
February 13 2020: Revised cisco-sa-20200205-nxos-cdp-rce to version 1.3: Updated that Cisco UCS Fabric Interconnects are not vulnerable
February 12 2020: Revised Advisory cisco-sa-20200205-nxos-cdp-rce to version 1.2 : Updated Information on Nexus 3000 and 9000 series switches
February 12 2020: CVE-2020-3118- Revised to version 1.1; Added the Cisco Unified IP Phone 7900 as not vulnerable
February 10 2020: Advisory "fxnxos-iosxr-cdp-dos" revised to version 1.2; removed FXOS 2.5 and updated Vulnerable Products and Workarounds sections.
February 7 2020: cisco-sa-20200205-nxos-cdp-rce: Corrected information on Cisco UCS Fabric Interconnects cisco-sa-20200205-fxnxos-iosxr-cdp-dos: Corrected information on Cisco FXOS and Cisco UCS Fabric Interconnects
February 6 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution
Vulnerability
Priority: High
Advisory ID: cisco-sa-20200205-nxos-cdp-rce
First Published: 2020 February 5 16:00 GMT
Last Updated: 2020 February 14 20:08 GMT
Version 1.4: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvr09175CSCvr09531
CVE-2020-3119
CWE-787
CVSS Score:
8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Cisco Discovery Protocol implementation for Cisco
NX-OS Software could allow an unauthenticated, adjacent attacker to execute
arbitrary code or cause a reload on an affected device.
The vulnerability exists because the Cisco Discovery Protocol parser does
not properly validate input for certain fields in a Cisco Discovery
Protocol message. An attacker could exploit this vulnerability by sending a
malicious Cisco Discovery Protocol packet to an affected device. An
successful exploit could allow the attacker to cause a stack overflow,
which could allow the attacker to execute arbitrary code with
administrative privileges on an affected device.
Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this
vulnerability, an attacker must be in the same broadcast domain as the
affected device (Layer 2 adjacent).
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200205-nxos-cdp-rce
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they have Cisco
Discovery Protocol enabled both globally and on at least one interface and
if they are running a vulnerable release of Cisco NX-OS Software:
Nexus 3000 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
Nexus 9000 Series Switches in standalone NX-OS mode
Note: Cisco Discovery Protocol is enabled on these products by default both
globally and on all interfaces.
For information about which Cisco NX-OS Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determine the Status of Cisco Discovery Protocol for Cisco Nexus Switches
That Are Running Cisco NX-OS Software
Administrators can determine whether Cisco Discovery Protocol is enabled on
a device by using the show running-config cdp all | include "cdp enable"
command in the device CLI. If the command returns at least the following
lines, Cisco Discovery Protocol is enabled globally and on at least one
interface:
nxos# show running-config cdp all | include "cdp enable"
cdp enable
cdp enable
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 1000 Series
Firepower 2100 Series
Firepower 4100 Series
Firepower 9300 Security Appliances
MDS 9000 Series Multilayer Switches
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 5500 Platform Switches ^ 1
Nexus 5600 Platform Switches ^ 1
Nexus 6000 Series Switches ^ 1
Nexus 7000 Series Switches
UCS 6200 Series Fabric Interconnects ^ 1
UCS 6300 Series Fabric Interconnects ^ 1
UCS 6400 Series Fabric Interconnects ^ 1
1. Earlier versions of this security advisory reported Nexus 5500 Platform
Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, and UCS
6200 Series, 6300 Series, and 6400 Series Fabric Interconnects as affected
by this vulnerability. This information was incorrect.
Cisco has also confirmed that this vulnerability does not affect Cisco IOS
Software, Cisco IOS XE Software, or Cisco IOS XR Software.
Workarounds
o There are no workarounds that address this vulnerability.
However, customers who do not use Cisco Discovery Protocol can disable it
either globally to fully close the attack vector or on individual
interfaces to reduce the attack surface.
Disable Cisco Discovery Protocol Globally on Cisco Nexus Switches That Are
Running Cisco NX-OS Software
To disable Cisco Discovery Protocol globally on Cisco Nexus Switches that
are running Cisco NX-OS Software, administrators can use the no cdp enable
command in global configuration mode, as shown in the following example:
nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z.
nxos(config)# no cdp enable
nxos(config)# end
nxos# copy running-config startup-config
[########################################] 100%
Copy complete.
Disable Cisco Discovery Protocol on an Interface on Cisco Nexus Switches
That Are Running Cisco NX-OS Software
To disable Cisco Discovery Protocol on an interface on Cisco Nexus Switches
that are running Cisco NX-OS Software, administrators can use the no cdp
enable command in interface configuration mode, as shown in the following
example:
nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z.
nxos(config)# interface Ethernet1/1
nxos(config-if)# no cdp enable
nxos(config-if)# end
nxos# copy running-config startup-config
[########################################] 100%
Copy complete.
Fixed Software
o
Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases.
The right column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability.
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvr09175
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 7.0(3)I7 Not vulnerable
7.0(3)I7 7.0(3)I7(8) (Feb 2020) or appropriate SMU ^1
7.0(3)F ^2 Not vulnerable
9.2 9.3(2)
9.3 9.3(2)
1. The SMUs that are available for Cisco NX-OS Software releases 7.0(3)I7
(5a), 7.0(3)I7(6), and 7.0(3)I7(7) fix this vulnerability (CSCvr09175).
They also fix the vulnerability (CSCvr14976) that is described in the
advisory Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol
Denial of Service Vulnerability . The SMU filename follow this format:
CSCvr09175-n9k_ALL-1.0.0-<nx-os_release>.lib32_n9000.rpm .
2. The Cisco NX-OS Software 7.0(3)F train runs only on Cisco Nexus 3600
Platform Switches and the Nexus 9500 R-Series Switching Platform and is no
longer maintained. Customers are advised to migrate to Cisco NX-OS Software
Release 9.2 or later.
SMU Installation Instructions
To download the SMUs from the Software Center on Cisco.com, do the
following:
1. Click Browse All .
2. Choose IOS and NX-OS Software > NX-OS > NX-OS Software > Switches >
Data Center Switches .
3. Choose the appropriate product and model.
4. Choose NX-OS Software Maintenance Upgrades (SMU) .
5. Choose a release from the left pane of the appropriate product page.
Note: The SMU filename follow this format: CSCvr09175-n9k_ALL-1.0.0-
<NX-OS_Release>.lib32_n9000.rpm . For example, the SMU filename for Cisco
NX-OS Software Release 7.0(3)I7(6) is
CSCvr09175-n9k_ALL-1.0.0-7.0.3.I7.6.lib32_n9000.rpm .
To install the appropriate SMU, copy the SMU to the Bootflash: file system
for the switch and execute the following commands, which activate the fix
right away (this is a hot patch):
1. install add bootflash:<SMU_filename> activate
2. install commit
The following example shows the commands for installing the SMU for Cisco
NX-OS Software Release 7.0(3)I7(6):
nx-os# install add bootflash:CSCvr09175-n9k_ALL-1.0.0-7.0.3.I7.6.lib32_n9000.rpm activate
nx-os# install commit
Note: These instructions apply to only this particular type of SMU.
Nexus 9000 Series Fabric Switches in ACI Mode: CSCvr09531
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 13.1 Not vulnerable
13.1 Not vulnerable
13.2 Not vulnerable
14.0 14.2(1j)
14.1 14.2(1j)
14.2 14.2(1j)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 5600 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
To determine the best release for Cisco UCS, see the Recommended Releases
documents in the release notes for the device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is aware of
public announcements about this vulnerability. Cisco PSIRT is not aware of
any malicious use of the vulnerability that is described in this advisory.
Source
o Cisco would like to thank Barak Hadad of Armis for reporting this
vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200205-nxos-cdp-rce
Revision History
o +---------+--------------------+--------------+--------+------------------+
| Version | Description | Section | Status | Date |
+---------+--------------------+--------------+--------+------------------+
| | Updated that Cisco | | | |
| | Nexus 5500 | Vulnerable | | |
| | Platform Switches, | Products, | | |
| | Nexus 5600 | Products | | |
| 1.4 | Platform Switches | Confirmed | Final | 2020-February-14 |
| | and Nexus 6000 | Not | | |
| | Series Switches | Vulnerable, | | |
| | are not affected | Fixed | | |
| | by this | Software | | |
| | vulnerability. | | | |
+---------+--------------------+--------------+--------+------------------+
| | | Vulnerable | | |
| | Updated that Cisco | Products, | | |
| | UCS Fabric | Products | | |
| | Interconnects are | Confirmed | | |
| 1.3 | not affected by | Not | Final | 2020-February-12 |
| | this | Vulnerable, | | |
| | vulnerability. | Workarounds, | | |
| | | Fixed | | |
| | | Software | | |
+---------+--------------------+--------------+--------+------------------+
| | Updated | | | |
| | information on | | | |
| | vulnerable | | | |
| 1.2 | releases for Nexus | Fixed | Final | 2020-February-11 |
| | 3000 Series | Software | | |
| | Switches and Nexus | | | |
| | 9000 Series | | | |
| | Switches. | | | |
+---------+--------------------+--------------+--------+------------------+
| | Corrected | | | |
| | information around | | | |
| | when Cisco UCS | | | |
| | Fabric | Vulnerable | | |
| 1.1 | Interconnects are | Products, | Final | 2020-February-06 |
| | vulnerable and | Workarounds | | |
| | mitigation options | | | |
| | for Cisco UCS | | | |
| | Fabric | | | |
| | Interconnects. | | | |
+---------+--------------------+--------------+--------+------------------+
| 1.0 | Initial public | - | Final | 2020-February-05 |
| | release. | | | |
+---------+--------------------+--------------+--------+------------------+
- --------------------------------------------------------------------------------
Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol Denial of
Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20200205-fxnxos-iosxr-cdp-dos
First Published: 2020 February 5 16:00 GMT
Last Updated: 2020 February 21 20:46 GMT
Version 1.3: Interim
Workarounds: No workarounds availableCisco Bug IDs: CSCvr14976 CSCvr15024 CSCvr15072 CSCvr15073CSCvr15078 CSCvr15079 CSCvr15082 CSCvr15083CSCvr15111
CVE-2020-3120
CWE-190
CVSS Score:
7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o
A vulnerability in the Cisco Discovery Protocol implementation for Cisco
FXOS Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow
an unauthenticated, adjacent attacker to cause a reload of an affected
device, resulting in a denial of service (DoS) condition.
The vulnerability is due to a missing check when the affected software
processes Cisco Discovery Protocol messages. An attacker could exploit this
vulnerability by sending a malicious Cisco Discovery Protocol packet to an
affected device. A successful exploit could allow the attacker to exhaust
system memory, causing the device to reload.
Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this
vulnerability, an attacker must be in the same broadcast domain as the
affected device (Layer 2 adjacent).
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200205-fxnxos-iosxr-cdp-dos
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they have Cisco
Discovery Protocol enabled both globally and on at least one interface and
if they are running a vulnerable release of Cisco FXOS, IOS XR (32-bit or
64-bit), or NX-OS Software:
ASR 9000 Series Aggregation Services Routers
Carrier Routing System (CRS)
Firepower 4100 Series
Firepower 9300 Security Appliances
IOS XRv 9000 Router
MDS 9000 Series Multilayer Switches
Network Convergence System (NCS) 540 Series Routers
Network Convergence System (NCS) 560 Series Routers
Network Convergence System (NCS) 1000 Series
Network Convergence System (NCS) 5000 Series
Network Convergence System (NCS) 5500 Series
Network Convergence System (NCS) 6000 Series
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
Nexus 9000 Series Switches in standalone NX-OS mode
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
This vulnerability also affects third-party white box routers if they have
Cisco Discovery Protocol enabled both globally and on at least one
interface and if they are running a vulnerable release of Cisco IOS XR
Software.
Note: Cisco Discovery Protocol is disabled by default in Cisco IOS XR
Software. Cisco Discovery Protocol is enabled by default both globally and
on all interfaces in Cisco FXOS and NX-OS Software.
For information about which Cisco FXOS, IOS XR, and NX-OS Software releases
are vulnerable, see the Fixed Software section of this advisory.
Determine the Status of Cisco Discovery Protocol for Cisco FXOS Software
Cisco Discovery Protocol is always enabled on the management (mgmt0) port.
In Cisco FXOS Software releases earlier than 2.1, Cisco Discovery Protocol
is always enabled on all front-panel ports as well.
Determine the Status of Cisco Discovery Protocol for Cisco IOS XR Software
Administrators can determine whether Cisco Discovery Protocol is enabled on
a device by using the show running-config | include cdp command in the
device CLI. If the command returns at least the following lines, Cisco
Discovery Protocol is enabled globally and on at least one interface:
RP/0/RP0/CPU0:ios#show running-config | include cdp
Mon Dec 2 17:00:27.921 UTC
Building configuration...
cdp
cdp
.
.
.
Determine the Status of Cisco Discovery Protocol on Cisco Nexus Switches
That Are Running Cisco NX-OS Software
Administrators can determine whether Cisco Discovery Protocol is enabled on
a device by using the show running-config cdp all | include "cdp enable"
command in the device CLI. If the command returns at least the following
lines, Cisco Discovery Protocol is enabled globally and on at least one
interface:
nxos# show running-config cdp all | include "cdp enable"
cdp enable
cdp enable
Determine the Status of Cisco Discovery Protocol on Cisco UCS Fabric
Interconnects
Cisco Discovery Protocol is always enabled on Ethernet uplink ports
(network interfaces that connect to upstream switches for network
connectivity), Ethernet port channel members, FCoE uplink ports, and
management ports.
Administrators can determine whether Cisco Discovery Protocol is also
enabled on server ports (interfaces that are presented to the servers in
the Cisco UCS Manager domain) and appliance ports (interfaces that connect
to directly attached NFS storage) on a device by using the show
configuration | egrep "^ scope|enable cdp" command in the device CLI. If
the command returns the enable cdp command under the org scope, Cisco
Discovery Protocol is enabled on server ports, and if the command returns
enable cdp under the eth-storage scope, Cisco Discovery Protocol is enabled
on appliance ports, as shown in the following example:
ucs-fi# show configuration | egrep "^ scope|enable cdp"
.
.
.
scope org
enable cdp
.
.
.
scope eth-storage
enable cdp
.
.
.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 1000 Series
Firepower 2100 Series
Network Convergence System (NCS) 520 Series Routers
Cisco has also confirmed that this vulnerability does not affect Cisco IOS
Software or Cisco IOS XE Software.
Workarounds
o There are no workarounds that address this vulnerability.
However, customers who do not use the Cisco Discovery Protocol feature can
disable it either globally to fully close the attack vector or on
individual interfaces to reduce the attack surface.
Disable Cisco Discovery Protocol in Cisco FXOS Software
Cisco Discovery Protocol is always enabled and cannot be disabled in Cisco
FXOS Software. In Cisco FXOS Software releases 2.1 and later, Cisco
Discovery Protocol is enabled on the management (mgmt0) port only.
Disable Cisco Discovery Protocol Globally in Cisco IOS XR Software
To disable Cisco Discovery Protocol globally on devices running Cisco IOS
XR Software, administrators can use the no cdp command in global
configuration mode, as shown in the following example:
RP/0/RP0/CPU0:ios#conf t
Mon Dec 2 17:58:08.556 UTC
RP/0/RP0/CPU0:ios(config)#no cdp
RP/0/RP0/CPU0:ios(config)#exit
Uncommitted changes found, commit them before exiting(yes/no/cancel) [cancel]:yes
Disable Cisco Discovery Protocol on an Interface in Cisco IOS XR Software
To disable Cisco Discovery Protocol a particular interface on a particular
device that is running Cisco IOS XR Software, administrators can use the no
cdp command in interface configuration mode, as shown in the following
example:
RP/0/RP0/CPU0:ios#conf t
Mon Dec 2 18:00:08.622 UTC
RP/0/RP0/CPU0:ios(config)#interface GigabitEthernet0/0/0/0
RP/0/RP0/CPU0:ios(config-if)#no cdp
RP/0/RP0/CPU0:ios(config-if)#end
Uncommitted changes found, commit them before exiting(yes/no/cancel) [cancel]:yes
Disable Cisco Discovery Protocol Globally on Cisco Nexus Switches That Are
Running Cisco NX-OS Software
To disable Cisco Discovery Protocol globally on Cisco Nexus Switches that
are running Cisco NX-OS Software, administrators can use the no cdp enable
command in global configuration mode, as shown in the following example:
nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z.
nxos(config)# no cdp enable
nxos(config)# end
nxos# copy running-config startup-config
[########################################] 100%
Copy complete.
Disable Cisco Discovery Protocol on an Interface on Cisco Nexus Switches
That Are Running Cisco NX-OS Software
To disable Cisco Discovery Protocol on an interface on Cisco Nexus Switches
that are running Cisco NX-OS Software, administrators can use the no cdp
enable command in interface configuration mode, as shown in the following
example:
nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z.
nxos(config)# interface Ethernet1/1
nxos(config-if)# no cdp enable
nxos(config-if)# end
nxos# copy running-config startup-config
[########################################] 100%
Copy complete.
Disable Cisco Discovery Protocol on Cisco UCS Fabric Interconnects
Cisco Discovery Protocol cannot be disabled completely on Cisco UCS Fabric
Interconnects.
Cisco Discovery Protocol can be disabled on server ports and appliance
ports on Cisco UCS Fabric Interconnects, but it cannot be disabled on
Ethernet uplink ports, Ethernet port channel members, FCoE uplink ports, or
management ports.
To disable Cisco Discovery Protocol on the server ports of a Cisco UCS
Fabric Interconnect, administrators can use the disable cdp command in the
default nw-ctrl-policy in the org scope, as shown in the following example:
ucs-fi# scope org
ucs-fi /org # enter nw-ctrl-policy default
ucs-fi /org/nw-ctrl-policy # disable cdp
ucs-fi /org/nw-ctrl-policy* # exit
ucs-fi /org* # exit
ucs-fi* # commit-buffer
ucs-fi#
To disable Cisco Discovery Protocol on the appliance ports of a Cisco UCS
Fabric Interconnect, administrators can use the disable cdp command in the
default nw-ctrl-policy in the eth-storage scope, as shown in the following
example:
ucs-fi* # scope eth-storage
ucs-fi /eth-storage* # enter nw-ctrl-policy default
ucs-fi /eth-storage/nw-ctrl-policy* # disable cdp
ucs-fi /eth-storage/nw-ctrl-policy* # exit
ucs-fi /eth-storage* # exit
ucs-fi* # commit-buffer
ucs-fi#
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases.
The right column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability.
Firepower 4100 Series and Firepower 9300 Security Appliances: CSCvr15083
Cisco FXOS Software Release First Fixed Release for This Vulnerability
Earlier than 2.2 Migrate to a fixed release
2.2 Migrate to a fixed release
2.3 2.3.1.173
2.4 Release no. TBD (May 2020)
2.6 2.6.1.187
2.7 2.7.1.106
Note: In Cisco FXOS Software releases 2.1 and later, this vulnerability is
exploitable only via the management (mgmt0) port. In these releases Cisco
Discovery Protocol is never actually enabled on front-panel ports, even if
it is configured.
IOS XR Software: CSCvr15024
Cisco IOS XR Software Release First Fixed Release for This Vulnerability
Earlier than 6.6 Appropriate SMU
6.6 ^1 6.6.3 or appropriate SMU
7.0 7.0.2 (Mar 2020) or appropriate SMU
7.1 Not vulnerable
1. Customers who are running Cisco IOS XR Software Release 6.6 on white box
routers are advised to upgrade to Release 6.6.12 and then install the
software maintenance upgrade (SMU). Customers who are running Cisco IOS XR
Software Release 6.6 on other platforms are advised to upgrade to Cisco IOS
XR Software Release 6.6.3.
The following SMUs are also available for Cisco IOS XR Software:
Cisco IOS XR Software Release Platform SMU Name
5.2.5 NCS6K ncs6k-5.2.5.CSCvr78185
6.4.2 ASR9K-PX asr9k-px-6.4.2.CSCvr78185
CRS-PX hfr-px-6.4.2.CSCvr78185
ASR9K-PX asr9k-px-6.5.3.CSCvr78185
ASR9K-X64 asr9k-x64-6.5.3.CSCvr78185
NCS540 ncs540-6.5.3.CSCvr78185
6.5.3 NCS560 ncs560-6.6.25.CSCvr78185
NCS5K ncs5k-6.5.3.CSCvr78185
NCS5500 ncs5500-6.5.3.CSCvr78185
XRV9K xrv9k-6.5.3.CSCvr78185
6.6.12 White box iosxrwbd-6.6.12.CSCvr78185
6.6.25 NCS560 ncs560-6.6.25.CSCvr78185
7.0.1 NCS540L ncs540l-7.0.1.CSCvr78185
For details on where to download and how to install SMUs in Cisco IOS XR
Software, see the IOS XR Software Maintenance Updates (SMUs) guide .
MDS 9000 Series Multilayer Switches: CSCvr15073
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
5.2 6.2(29)
6.2 6.2(29)
7.3 8.4(1a)
8.1 8.4(1a)
8.2 8.4(1a)
8.3 8.4(1a)
8.4 8.4(1a)
Nexus 1000 Virtual Edge for VMware vSphere: CSCvr15078
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
5.2 5.2(1)SV5(1.3)
Nexus 1000V Switch for Microsoft Hyper-V: CSCvr15078
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 5.2 No fix available ^1
5.2 No fix available ^1
1. Cisco Nexus 1000V Switch for Microsoft Hyper-V has reached end of
software maintenance.
Nexus 1000V Switch for VMware vSphere: CSCvr15078
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 5.2 5.2(1)SV3(4.1b)
5.2 5.2(1)SV3(4.1b)
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvr14976
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 7.0(3)I 7.0(3)I7(8) (Feb 2020) or appropriate SMU ^1
7.0(3)I 7.0(3)I7(8) (Feb 2020) or appropriate SMU ^1
7.0(3)F ^2 9.3(2)
9.2 9.3(2)
9.3 9.3(2)
1. The SMUs that are available for Cisco NX-OS Software releases 7.0(3)I7
(5a), 7.0(3)I7(6), and 7.0(3)I7(7) fix this vulnerability (CSCvr14976).
They also fix the vulnerability (CSCvr09175) that is described in the
advisory Cisco NX-OS Software Cisco Discovery Protocol Remote Code
Execution Vulnerability . The SMU filenames follow this format:
CSCvr09175-n9k_ALL-1.0.0-<NX-OS_Release>.lib32_n9000.rpm .
2. The Cisco NX-OS Software 7.0(3)F train runs on only Cisco Nexus 3600
Platform Switches and Cisco Nexus 9500 R-Series Switching Platform and is
no longer maintained. Customers are advised to migrate to Cisco NX-OS
Software releases 9.2 or later.
SMU Installation Instructions
To download SMUs from the Software Center on Cisco.com, do the following:
1. Click Browse All .
2. Choose IOS and NX-OS Software > NX-OS > NX-OS Software > Switches >
Data Center Switches .
3. Choose the appropriate product and model.
4. Choose NX-OS Software Maintenance Upgrades (SMU) .
5. Choose a release from the left pane of the appropriate product page.
Note: The SMU filenames follow this format: CSCvr09175-n9k_ALL-1.0.0-
<NX-OS_Release>.lib32_n9000.rpm . For example, the SMU filename for Cisco
NX-OS Software Release 7.0(3)I7(6) is
CSCvr09175-n9k_ALL-1.0.0-7.0.3.I7.6.lib32_n9000.rpm .
To install the appropriate SMU, copy the SMU to the Bootflash: file system
for the switch and execute the following commands, which activate the fix
(this is a hot patch):
1. install add bootflash:<SMU_filename> activate
2. install commit
The following example shows the commands for installing the SMU for Cisco
NX-OS Software Release 7.0(3)I7(6):
nx-os# install add bootflash:CSCvr09175-n9k_ALL-1.0.0-7.0.3.I7.6.lib32_n9000.rpm activate
nx-os# install commit
Note: These instructions apply to only this particular type of SMU.
Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches:
CSCvr15079
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 7.1 7.3(6)N1(1)
7.1 7.3(6)N1(1)
7.3 7.3(6)N1(1)
Nexus 7000 Series Switches: CSCvr15073
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 6.2 6.2(24)
6.2 6.2(24)
7.2 7.3(5)D1(1)
7.3 7.3(5)D1(1)
8.0 8.2(5)
8.1 8.2(5)
8.2 8.2(5)
8.3 8.4(2) (Mar 2020) or appropriate SMU ^1
8.4 8.4(2) (Mar 2020) or appropriate SMU ^1
1. The following SMUs are available for Cisco NX-OS Software Release 8.4
(1): n7000-s2-dk9.8.4.1.CSCvs27997.bin, n7700-s2-dk9.8.4.1.CSCvs27997.bin,
and n7700-s3-dk9.8.4.1.CSCvs27997.bin. Customers who are running a Cisco
NX-OS Software 8.3 release are advised to upgrade to Cisco NX-OS Software
Release 8.4(1) and then apply the appropriate SMU.
For details on where to download and how to install SMUs in Cisco NX-OS
Software for Cisco Nexus 7000 Series Switches, see the Performing Software
Maintenance Upgrades chapter of the Cisco Nexus 7000 Series NX-OS System
Management Configuration Guide .
Nexus 9000 Series Fabric Switches in ACI Mode: CSCvr15072
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 13.1 13.2(9b)
13.1 13.2(9b)
13.2 13.2(9b)
14.0 14.2(1j)
14.1 14.2(1j)
14.2 14.2(1j)
UCS 6200, 6300, and 6400 Series Fabric Interconnects: CSCvr15082 and
CSCvr15111
Cisco UCS Software Release First Fixed Release for This Vulnerability
Earlier than 3.2 3.2(3n)
3.2 3.2(3n)
4.0 4.0(4g)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 5600 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
To determine the best release for Cisco UCS, see the Recommended Releases
documents in the release notes for the device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is aware of
public announcements about the vulnerability that is described in this
advisory. Cisco PSIRT is not aware of any malicious use of this
vulnerability.
Source
o Cisco would like to thank Barak Hadad of Armis for reporting this
vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200205-fxnxos-iosxr-cdp-dos
Revision History
o +---------+-------------------+--------------+---------+------------------+
| Version | Description | Section | Status | Date |
+---------+-------------------+--------------+---------+------------------+
| | Updated available | Fixed | | |
| 1.3 | first fixed | Software | Interim | 2020-February-21 |
| | releases tables. | | | |
+---------+-------------------+--------------+---------+------------------+
| | Removed FXOS 2.5 | | | |
| | which does not | Vulnerable | | |
| | exist. Updated | Products, | | |
| 1.2 | FXOS CDP | Workarounds, | Interim | 2020-February-07 |
| | information under | Fixed | | |
| | Vulnerable | Software | | |
| | Products and | | | |
| | Workarounds. | | | |
+---------+-------------------+--------------+---------+------------------+
| | Corrected | | | |
| | information | | | |
| | around when Cisco | | | |
| | FXOS and Cisco | | | |
| | UCS Fabric | | | |
| | Interconnects are | | | |
| | vulnerable, | | | |
| | mitigation | Vulnerable | | |
| | options for Cisco | Products, | | |
| 1.1 | FXOS and Cisco | Workarounds, | Interim | 2020-February-06 |
| | UCS Fabric | Fixed | | |
| | Interconnects and | Software | | |
| | vulnerable and | | | |
| | first fixed | | | |
| | releases for | | | |
| | Cisco FXOS and | | | |
| | Cisco Nexus 1000 | | | |
| | Virtual Edge for | | | |
| | VMware vSphere. | | | |
+---------+-------------------+--------------+---------+------------------+
| 1.0 | Initial public | - | Interim | 2020-February-05 |
| | release. | | | |
+---------+-------------------+--------------+---------+------------------+
- --------------------------------------------------------------------------------
Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability
Priority: High
Advisory ID: cisco-sa-20200205-iosxr-cdp-rce
First Published: 2020 February 5 16:00 GMT
Last Updated: 2020 October 20 18:23 GMT
Version 1.1: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvr09190
CVE-2020-3118
CWE-134
CVSS Score:
8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Cisco Discovery Protocol implementation for Cisco
IOS XR Software could allow an unauthenticated, adjacent attacker to
execute arbitrary code or cause a reload on an affected device.
The vulnerability is due to improper validation of string input from
certain fields in Cisco Discovery Protocol messages. An attacker could
exploit this vulnerability by sending a malicious Cisco Discovery Protocol
packet to an affected device. A successful exploit could allow the attacker
to cause a stack overflow, which could allow the attacker to execute
arbitrary code with administrative privileges on an affected device.
Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this
vulnerability, an attacker must be in the same broadcast domain as the
affected device (Layer 2 adjacent).
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200205-iosxr-cdp-rce
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they have Cisco
Discovery Protocol enabled both globally and on at least one interface and
if they are running a vulnerable release of Cisco IOS XR Software (32-bit
or 64-bit):
ASR 9000 Series Aggregation Services Routers
Carrier Routing System (CRS)
IOS XRv 9000 Router
Network Convergence System (NCS) 540 Series Routers
Network Convergence System (NCS) 560 Series Routers
Network Convergence System (NCS) 1000 Series Routers
Network Convergence System (NCS) 5000 Series Routers
Network Convergence System (NCS) 5500 Series Routers
Network Convergence System (NCS) 6000 Series Routers
This vulnerability also affects third-party white box routers if they have
Cisco Discovery Protocol enabled both globally and on at least one
interface and if they are running a vulnerable release of Cisco IOS XR
Software.
Note: Cisco Discovery Protocol is not enabled in Cisco IOS XR Software by
default.
For information about which Cisco IOS XR Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determine the Status of Cisco Discovery Protocol
Administrators can determine whether Cisco Discovery Protocol is enabled on
a device by using the show running-config | include cdp command in the
device CLI. If the command returns at least the following lines, Cisco
Discovery Protocol is enabled globally and on at least one interface:
RP/0/RP0/CPU0:ios##show running-config | include cdp
Mon Dec 2 17:00:27.921 UTC
Building configuration...
cdp
cdp
.
.
.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Network
Convergence System (NCS) 520 Series Routers. Cisco has also confirmed that
this vulnerability does not affect the following Cisco software:
FXOS Software
IOS Software
IOS XE Software
NX-OS Software
UCS Software
Workarounds
o There are no workarounds that address this vulnerability.
However, customers who do not use the Cisco Discovery Protocol feature can
disable it either globally to fully close the attack vector or on
individual interfaces to reduce the attack surface.
Disable Cisco Discovery Protocol Globally
To disable Cisco Discovery Protocol globally on devices that are running
Cisco IOS XR Software, administrators can use the no cdp command in global
configuration mode, as shown in the following example:
RP/0/RP0/CPU0:ios#conf t
Mon Dec 2 17:58:08.556 UTC
RP/0/RP0/CPU0:ios(config)#no cdp
RP/0/RP0/CPU0:ios(config)#exit
Uncommitted changes found, commit them before exiting(yes/no/cancel) [cancel]:yes
Disable Cisco Discovery Protocol on an Interface
To disable Cisco Discovery Protocol on an interface on devices that are
running Cisco IOS XR Software, administrators can use the no cdp command in
interface configuration mode, as shown in the following example:
RP/0/RP0/CPU0:ios#conf t
Mon Dec 2 18:00:08.622 UTC
RP/0/RP0/CPU0:ios(config)#interface GigabitEthernet0/0/0/0
RP/0/RP0/CPU0:ios(config-if)#no cdp
RP/0/RP0/CPU0:ios(config-if)#end
Uncommitted changes found, commit them before exiting(yes/no/cancel) [cancel]:yes
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table, the left column lists Cisco software releases. The
right column indicates whether a release is affected by the vulnerability
described in this advisory and the first release that includes the fix for
this vulnerability.
Cisco IOS XR Software Release First Fixed Release for This Vulnerability
Earlier than 6.6 Appropriate SMU
6.6 ^1 6.6.3 or appropriate SMU
7.0 7.0.2 (Mar 2020) or appropriate SMU
7.1 Not vulnerable
1. Customers who are running Cisco IOS XR Software Release 6.6 on white box
routers are advised to upgrade to Release 6.6.12 and then install the
software maintenance upgrade (SMU). Customers who are running Cisco IOS XR
Software Release 6.6 on other platforms are advised to upgrade to Release
6.6.3.
The following SMUs are also available for Cisco IOS XR Software:
Cisco IOS XR Software Release Platform SMU Name
5.2.5 NCS6K ncs6k-5.2.5.CSCvr78185
6.4.2 ASR9K-PX asr9k-px-6.4.2.CSCvr78185
CRS-PX hfr-px-6.4.2.CSCvr78185
ASR9K-PX asr9k-px-6.5.3.CSCvr78185
ASR9K-X64 asr9k-x64-6.5.3.CSCvr78185
6.5.3 NCS540 ncs540-6.5.3.CSCvr78185
NCS5K ncs5k-6.5.3.CSCvr78185
NCS5500 ncs5500-6.5.3.CSCvr78185
XRV9K xrv9k-6.5.3.CSCvr78185
6.6.12 White box iosxrwbd-6.6.12.CSCvr78185
6.6.25 NCS560 ncs560-6.6.25.CSCvr78185
7.0.1 NCS540L ncs540l-7.0.1.CSCvr78185
For details on where to download and how to install SMUs in Cisco IOS XR
Software, see the IOS XR Software Maintenance Updates (SMUs) guide.
Exploitation and Public Announcements
o In October 2020, the Cisco Product Security Incident Response Team (PSIRT)
received reports of attempted exploitation of this vulnerability in the
wild. Cisco recommends that customers upgrade to a fixed Cisco IOS XR
Software release to remediate this vulnerability.
Source
o Cisco would like to thank Barak Hadad of Armis for reporting this
vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200205-iosxr-cdp-rce
Revision History
o +---------+------------------------+---------------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+------------------------+---------------+--------+-------------+
| | Updated Exploitation | | | |
| | and Public | | | |
| | Announcements to | Exploitation | | |
| | indicate that | and Public | | |
| 1.1 | exploitation in the | Announcements | Final | 2020-OCT-20 |
| | wild has been | and | | |
| | observed. Fixed two | Vulnerable | | |
| | typos in Vulnerable | Products | | |
| | Products (no change to | | | |
| | affected products). | | | |
+---------+------------------------+---------------+--------+-------------+
| 1.0 | Initial public | - | Final | 2020-FEB-05 |
| | release. | | | |
+---------+------------------------+---------------+--------+-------------+
- --------------------------------------------------------------------------------
Cisco IP Phone Remote Code Execution and Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20200205-voip-phones-rce-dos
First Published: 2020 February 5 16:00 GMT
Last Updated: 2020 February 20 22:04 GMT
Version 1.3: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvr96057 CSCvr96058 CSCvr96059 CSCvr96060CSCvr96063 CSCvr96064 CSCvr96065 CSCvr96066CSCvr96067 CSCvr96069 CSCvr96070 CSCvr96071CSCvr96738 CSCvr96739
CVE-2020-3111
CWE-20
CVSS Score:
8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Cisco Discovery Protocol implementation for the
Cisco IP Phone could allow an unauthenticated, adjacent attacker to
remotely execute code with root privileges or cause a reload of an affected
IP phone.
The vulnerability is due to missing checks when processing Cisco Discovery
Protocol messages. An attacker could exploit this vulnerability by sending
a crafted Cisco Discovery Protocol packet to the targeted IP phone. A
successful exploit could allow the attacker to remotely execute code with
root privileges or cause a reload of an affected IP phone, resulting in a
denial of service (DoS) condition.
Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this
vulnerability, an attacker must be in the same broadcast domain as the
affected device (Layer 2 adjacent).
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200205-voip-phones-rce-dos
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco IP phones with Cisco
Discovery Protocol enabled ^ 1 and running a vulnerable firmware release:
IP Conference Phone 7832
IP Conference Phone 7832 with Multiplatform Firmware
IP Conference Phone 8832
IP Conference Phone 8832 with Multiplatform Firmware
IP Phone 6821, 6841, 6851, 6861, 6871 with Multiplatform Firmware
IP Phone 7811, 7821, 7841, 7861 Desktop Phones
IP Phone 7811, 7821, 7841, 7861 Desktop Phones with Multiplatform
Firmware
IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones
IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones with
Multiplatform Firmware
Unified IP Conference Phone 8831
Unified IP Conference Phone 8831 for Third-Party Call Control
Wireless IP Phone 8821, 8821-EX
^ 1 Cisco Discovery Protocol is enabled by default on most IP Phone models.
For information about which software releases are vulnerable, see the Fixed
Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
ATA 191 Analog Telephone Adapter
ATA 192 Multiplatform Analog Telephone Adapter
IP DECT 6825 with Multiplatform Firmware
SPA112 2-Port Phone Adapter
SPA122 ATA with Router
SPA2102 Phone Adapter with Router
SPA232D Multi-Line DECT ATA
Small Business SPA300 Series IP Phones
Small Business SPA500 Series IP Phones
SPA3102 Voice Gateway with Router
SPA8000 8-port IP Telephony Gateway
SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports
Unified IP Phone 6901
Unified IP Phone 7942
Unified IP Phone 7945
Unified IP Phone 7962
Unified IP Phone 7965
Unified IP Phone 7975
Unified SIP Phone 3905
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Customers are advised to upgrade to an appropriate fixed firmware release
as indicated in the following table:
Cisco IP Phone Model Cisco Bug First Fixed Release
ID
IP Conference Phone 7832 CSCvr96069 12.7(1)
IP Conference Phone 7832 with CSCvr96060 11.3(1)SR1
Multiplatform Firmware
IP Conference Phone 8832 CSCvr96071 12.7(1)
IP Conference Phone 8832 with CSCvr96064 11.3(1)SR1
Multiplatform Firmware
IP Phone 6821, 6841, 6851, 6861, 6871 CSCvr96065
with Multiplatform Firmware , 11.3(1)SR1
CSCvr96067
IP Phone 7811, 7821, 7841, 7861 Desktop CSCvr96739 12.7(1)
Phones
IP Phone 7811, 7821, 7841, 7861 Desktop CSCvr96063 11.3(1)SR1
Phones with Multiplatform Firmware
IP Phone 8811, 8841, 8851, 8861, 8845, CSCvr96066
8865 Desktop Phones , 12.7(1)
CSCvr96069
IP Phone 8811, 8841, 8851, 8861, 8845, CSCvr96058,
8865 Desktop Phones with Multiplatform CSCvr96059 11.3(1)SR1
Firmware
Unified IP Conference Phone 8831 CSCvr96738 10.3(1)SR6 (Targeted
for March 2020)
Unified IP Conference Phone 8831 for There is no fixed
Third-Party Call Control CSCvr96057 firmware available at
this time.
Wireless IP Phone 8821 and 8821-EX CSCvr96070 11.0(5)SR2
To download the Cisco IP Phone firmware from the Software Center on
Cisco.com , do the following:
1. Click Browse all .
2. Choose Collaboration Endpoints > IP Phones .
3. Choose a specific product from the right pane of the product selector.
4. Choose a release from the left pane of the product page.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is aware of
public announcements about this vulnerability. Cisco PSIRT is not aware of
any malicious use of the vulnerability that is described in this advisory.
Source
o Cisco would like to thank Ben Seri, VP of Research at Armis, for finding
and reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200205-voip-phones-rce-dos
Revision History
o +---------+----------------------+------------+--------+------------------+
| Version | Description | Section | Status | Date |
+---------+----------------------+------------+--------+------------------+
| | Added the Cisco | | | |
| | Unified SIP Phone | Products | | |
| 1.3 | 3905 and Cisco | Confirmed | Final | 2020-February-20 |
| | Unified IP Phone | Not | | |
| | 6901 as confirmed | Vulnerable | | |
| | not vulnerable. | | | |
+---------+----------------------+------------+--------+------------------+
| | Added the Cisco | | | |
| | ATA191 and ATA 192 | | | |
| | products as not | Products | | |
| 1.2 | vulnerable. Listed | Confirmed | Final | 2020-February-14 |
| | the specific models | Not | | |
| | of the 7900 phones | Vulnerable | | |
| | that are confirmed | | | |
| | not vulnerable. | | | |
+---------+----------------------+------------+--------+------------------+
| | Added the Cisco | Products | | |
| 1.1 | Unified IP Phone | Confirmed | Final | 2020-February-11 |
| | 7900 Series as not | Not | | |
| | vulnerable. | Vulnerable | | |
+---------+----------------------+------------+--------+------------------+
| 1.0 | Initial public | - | Final | 2020-February-05 |
| | release. | | | |
+---------+----------------------+------------+--------+------------------+
- --------------------------------------------------------------------------------
Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote
Code Execution and Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20200205-ipcameras-rce-dos
First Published: 2020 February 5 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvr96127
CVE-2020-3110
CWE-20
CVSS Score:
8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Cisco Discovery Protocol implementation for the
Cisco Video Surveillance 8000 Series IP Cameras could allow an
unauthenticated, adjacent attacker to execute code remotely or cause a
reload of an affected IP Camera.
The vulnerability is due to missing checks when processing Cisco Discovery
Protocol messages. An attacker could exploit this vulnerability by sending
a malicious Cisco Discovery Protocol packet to the targeted IP Camera. A
successful exploit could allow the attacker to expose the affected IP
Camera for remote code execution or cause it to reload unexpectedly,
resulting in a denial of service (DoS) condition.
Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this
vulnerability, an attacker must be in the same broadcast domain as the
affected device (Layer 2 adjacent).
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200205-ipcameras-rce-dos
Affected Products
o Vulnerable Products
This vulnerability affects Cisco Video Surveillance 8000 Series IP Cameras
with the Cisco Discovery Protocol enabled when they are running a firmware
version earlier than 1.0.7.
For information about which Cisco Video Surveillance 8000 Series IP Camera
firmware releases are vulnerable, see the Fixed Software section of this
advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Video Surveillance 3000 Series IP Cameras
Video Surveillance 4000 Series High-Definition IP Cameras
Video Surveillance 4300E and 4500E High-Definition IP Cameras
Video Surveillance 6000 Series IP Cameras
Video Surveillance 7000 Series IP Cameras
Video Surveillance PTZ IP Cameras
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco fixed this vulnerability in Video Surveillance 8000 Series IP Camera
Firmware Release 1.0.7 and later.
Customers can download Video Surveillance 8000 Series IP Camera Firmware
from the Software Center on Cisco.com by doing the following:
Click Browse all .
Navigate to Connected Safety and Security > Video Surveillance IP
Cameras > Video Surveillance 8000 Series IP Cameras .
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank Ben Seri, VP of Research at Armis, for finding
and reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200205-ipcameras-rce-dos
Revision History
o +---------+-------------------------+---------+--------+------------------+
| Version | Description | Section | Status | Date |
+---------+-------------------------+---------+--------+------------------+
| 1.0 | Initial public release. | - | Final | 2020-February-05 |
+---------+-------------------------+---------+--------+------------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX4+LCeNLKJtyKPYoAQipGBAAmWXmFvXwf3AzpG1QMfpWq/bkfeo1wrrq
q4sUx6cbB4rzyKZHtGelPuAQqDs8tUgsYwp06u7qNQvHZyxpcVnwPVuaDMQb/keO
kxL+8Z6aMPj/HAD6kYgnc8Ju+xbri/xPnWUF8xBYmJ5rujth8Q83Pi5b4BBoh964
eze6dSPMwrzUn0E578xQSUn/+YNtpqI6zV9pp8zvBnXnKBX9dwIynfue+JDrJMnu
R2IDr/FAuDnjg5pdScnxV3ZwlPu6dLjn/a4iLBfiQuLdKfMy5C1/V8JMnlWqlevH
gDoXc6JX/Oex/j/VZTlbfUkbHKMXvrqwV66lB3+Bu0zviVW/PgmmGpPwLVYXHc9J
1yztbtB57IXno7zpmiG7D0JKcD3FBwBJ/w/ZQy9NYbe1Lqn9AMIQJZZrGf+/Zt/b
kxuPA4uLK5d1HIVFm3SbZ6Kw5b0QFM2rl/BGhbgv02pjGLv3wCQmJnlgBhgzc+12
t10ntQSaU1Mni8LRwVvt6c6no7Nh5/6Y1jdsPQLM5YDDZUobQBwOad6eqGaXD7oX
Lt8qoQn74MmtVacJrufOGE/AGnUivgCn4LmrVLahfcMISpbhVHw7V24vXgOHQOPZ
1Qk+Q7mvuUo3sshY6lY20Zm/TsIUskUZielpLHLYsxB42IBEQcpDMYcJg6R7CYOB
10SOyu7LC68=
=D+69
-----END PGP SIGNATURE-----