What are CDP (Cisco Discovery Protocol) Attacks?

CDP is a Layer 2 protocol used by Cisco devices; it is used for discovering other directly connected Cisco devices in a network, This allows devices to auto-configure their connections hence it simplifies connectivity and configuration.

Generally, CDP is enabled on most Cisco devices. As routers don’t circulate it, the CDP data is transmitted through periodic broadcasts that are maintained locally in the cisco device CDP table.

CDP database is comprised of a lot of data about the device such as capabilities, IP address, native VLAN, software version, platform version, etc. And when all this information gets in the hand of a malicious user through a compromised system, they can use this information to find exploits for attacking the network. Generally carried out as a DoS attack.  A malicious user can also make counterfeit CDP packets and forward them to other devices as CDP is not authenticated.

Possible Attacks:

• Telnet Attacks: Telnet is an insecure protocol that can be used by a malicious user for remote access to a network device. And, then they can launch a brute force attack against the virtual terminal on the switch to crack passwords.
• Brute force password attacks: For this kind of attack the malicious user uses a list of common passwords along with a program that can establish a telnet session by using each word on the dictionary list. If the password is not cracked by the dictionary list attack then in the next step of brute force attack, the malicious user might use a combination attack in order to crack the password.
• Telnet DoS attack: Telnet can be used for DoS attacks, in this, the malicious user can exploit a bug in the telnet server software running on the switch that can render the telnet service inaccessible. This can be used along with various other direct attacks to prevent admins from remotely accessing the vital devices and switch management during an attack.
• CVE-2020-3110 or the RCE and DoS vulnerability in cisco video surveillance 8000 series IP cameras CDP: A malicious user can exploit this vulnerability by forwarding forged CDP packets to the affected IP cameras, this vulnerability allows an unauthenticated user to execute code remotely, it can also allow them to reload an affected camera unexpectedly resulting in a DoS condition.
• CVE-2020-3111 or the RCE and DoS vulnerability of Cisco IP Phones: This could allow a malicious unauthorized user to carry out an RCE attack with root privileges and it can also allow them to reload any affected IP phone resulting in DoS like condition.
• CVE-2020-3118 or the format string vulnerability of Cisco IOS XR software CDP: This vulnerability in the CDP execution for Cisco IOS XR software could let an unauthorized malicious user execute arbitrary code and it can also cause a reload on the affected device resulting in a stack overflow.

Preventions Against CDP Attacks:

The following points can be considered for preventing CDP attacks.

• The user can disable the CDP on devices or ports where it is not needed by using the “no cdp run” command.
• To prevent brute force password attacks the user should change their password frequently to a strong password.
• ACL (Access Control List) can be used to limit access to the virtual terminal lines.
• The user should disable the CDP on the routers that are connected to the external networks.

Detection:

Changes in CDP can be monitored with the help of a CDP monitor, this CDP program helps in discovering CDP changes on the network; it can inform the user by prompting a message box and can also send warning emails. As it is possible to send custom CDP packets from the CDP monitor thus, it can also be helpful in CDP spoofing attacks.