Cisco Discovery Protocol vulnerabilities (CDPwn) (CVE-2020-3118 / 2020-3119 / 2020-3120)
Daisy has received a notification from Cisco detailing a number of vulnerabilities within their Cisco Discovery protocol (CDP). This series of vulnerabilities has been named CDPwn
CVE-2020-3118
A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce
CVE-2020-3119
A vulnerability in the Cisco Discovery Protocol implementation for Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce
CVE-2020-3120
A vulnerability in the Cisco Discovery Protocol implementation for Cisco FXOS Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos
Daisy are progressing with implementing the updates provided by Cisco, if you require further information relating to your services please raise them through the usual support channels.
At the time of writing Daisy are not aware of any active exploitation of this vulnerability. Daisy will continue to follow closely advisories provided by Cisco regarding this vulnerability, and further updates will be posted to the Service Updates page as appropriate.
Further information relating to these vulnerabilities is available here https://www.armis.com/cdpwn/