Infrastructure Briefing — Patch Cisco CDPwn remote code execution flaws

Executive briefing: Cisco patched five flaws in its implementation of Cisco Discovery Protocol (CDP) across Catalyst switches, routers, IP phones, and UCS servers. Crafted Layer 2 CDP packets could trigger stack buffer overflows or format string issues, leading to remote code execution (CVE-2020-3118, CVE-2020-3119) or denial of service on adjacent networks.

Why it matters

• Exposure: CDP is enabled by default on Cisco access and data center platforms, so switch uplinks, IP phones, and hypervisor management ports were all reachable from the local network.
• Impact: Successful exploitation could give attackers control of Layer 2 infrastructure, allowing traffic interception or further lateral movement without triggering perimeter defenses.
• Operational risk: IP telephony outages and switch reloads can disrupt campus and branch operations if exploitation causes repeated crashes.

Operator actions

1. Patch priority: Apply the February 5, 2020 software updates for affected Catalyst, Nexus, UCS, and IP phone platforms per Cisco advisory guidance.
2. Restrict CDP: Disable CDP on interfaces where it is not operationally required, especially internet-facing and inter-VLAN trunk ports.
3. Monitor for abuse: Inspect switch logs and telemetry for malformed CDP packets or unexplained reloads on access switches and UCS fabric interconnects.
4. Validate phone exposure: Update Cisco IP phone firmware and ensure voice VLANs are isolated from untrusted client segments.