Several critical switch vulnerabilities that could allow an attacker to break network segmentation have been patched by Cisco.
Dubbed CDPwn by the researchers at Armis who discovered the flaws, the vulnerabilities exists in a Level 2 networking protocol called Cisco Discovery Protocol (CDP).
Network segmentation is an effective security strategy that isolates data and systems of different ‘value’ and ‘risk’ from each other into different VLANs. For example, internet facing IOT devices are on one VLAN and cannot ‘see’ or communicate with database servers which exist in a different VLAN on a different network segment.
One possible attack scenario would be to compromise an IoT device which exists in an isolated VLAN and then use that device to exploit the vulnerability in CDP to attack the switch which sits at the heart of the network. Once that switch has been compromised the attackers would be able to access any device in any VLAN connected to that Cisco switch.
Breaking network segmentation is just one possible outcome from exploiting these vulnerabilities. According to the researchers, possible implications include:
- Breaking of network segmentation
- Data exfiltration of corporate network traffic traversing through an organization’s switches and routers
- Gaining access to additional devices by leveraging man-in-the-middle attacks by intercepting and altering traffic on the corporate switch
- Data exfiltration of sensitive information such as phone calls from devices like IP phones and video feeds from IP cameras
The protocol vulnerabilities have existed in some devices for up to 10 years and a wide range of Cisco devices are affected including Firepower Routers and Security Appliances, Nexus Switches, NCS Switches and several ranges of Cisco IP Phones.
Network switches and routers are ‘silent’ devices in many networks and rarely need configuring or changing. As a result, there is a risk they are overlooked in the regular patching cycle allowing exploits like CDPwn to be used.
For ideas on how to ensure your network does not contain forgotten and unpatched devices, read our article: Infrastructure Patching Problems