Vulnslist

find the latest Cisco vulnerabilities

Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability

cisco-sa-20200205-fxnxos-iosxr-cdp-dos · High · Published · Updated

A vulnerability in the Cisco Discovery Protocol implementation for Cisco FXOS Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to a missing check when the affected software processes Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to exhaust system memory, causing the device to reload. Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos

Cisco advisory · CSAF JSON

Workarounds

There are no workarounds that address this vulnerability.

However, customers who do not use the Cisco Discovery Protocol feature can disable it either globally to fully close the attack vector or on individual interfaces to reduce the attack surface.
Disable Cisco Discovery Protocol in Cisco FXOS Software
Cisco Discovery Protocol is always enabled and cannot be disabled in Cisco FXOS Software. In Cisco FXOS Software releases 2.1 and later, Cisco Discovery Protocol is enabled on the management (mgmt0) port only.
Disable Cisco Discovery Protocol Globally in Cisco IOS XR Software
To disable Cisco Discovery Protocol globally on devices running Cisco IOS XR Software, administrators can use the no cdp command in global configuration mode, as shown in the following example:

RP/0/RP0/CPU0:ios#conf t
Mon Dec 2 17:58:08.556 UTC RP/0/RP0/CPU0:ios(config)#no cdp RP/0/RP0/CPU0:ios(config)#exit Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:yes
Disable Cisco Discovery Protocol on an Interface in Cisco IOS XR Software
To disable Cisco Discovery Protocol a particular interface on a particular device that is running Cisco IOS XR Software, administrators can use the no cdp command in interface configuration mode, as shown in the following example:

RP/0/RP0/CPU0:ios#conf t
Mon Dec 2 18:00:08.622 UTC RP/0/RP0/CPU0:ios(config)#interface GigabitEthernet0/0/0/0 RP/0/RP0/CPU0:ios(config-if)#no cdp RP/0/RP0/CPU0:ios(config-if)#end Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:yes
Disable Cisco Discovery Protocol Globally on Cisco Nexus Switches That Are Running Cisco NX-OS Software
To disable Cisco Discovery Protocol globally on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in global configuration mode, as shown in the following example:

nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z. nxos(config)# no cdp enable nxos(config)# end nxos# copy running-config startup-config [########################################] 100% Copy complete.
Disable Cisco Discovery Protocol on an Interface on Cisco Nexus Switches That Are Running Cisco NX-OS Software
To disable Cisco Discovery Protocol on an interface on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in interface configuration mode, as shown in the following example:

nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z. nxos(config)# interface Ethernet1/1 nxos(config-if)# no cdp enable nxos(config-if)# end nxos# copy running-config startup-config [########################################] 100% Copy complete.
Disable Cisco Discovery Protocol on Cisco UCS Fabric Interconnects
Cisco Discovery Protocol cannot be disabled completely on Cisco UCS Fabric Interconnects.

Cisco Discovery Protocol can be disabled on server ports and appliance ports on Cisco UCS Fabric Interconnects, but it cannot be disabled on Ethernet uplink ports, Ethernet port channel members, FCoE uplink ports, or management ports.

To disable Cisco Discovery Protocol on the server ports of a Cisco UCS Fabric Interconnect, administrators can use the disable cdp command in the default nw-ctrl-policy in the org scope, as shown in the following example:

ucs-fi# scope org
ucs-fi /org # enter nw-ctrl-policy default ucs-fi /org/nw-ctrl-policy # disable cdp ucs-fi /org/nw-ctrl-policy* # exit ucs-fi /org* # exit ucs-fi* # commit-buffer ucs-fi#

To disable Cisco Discovery Protocol on the appliance ports of a Cisco UCS Fabric Interconnect, administrators can use the disable cdp command in the default nw-ctrl-policy in the eth-storage scope, as shown in the following example:

ucs-fi* # scope eth-storage
ucs-fi /eth-storage* # enter nw-ctrl-policy default ucs-fi /eth-storage/nw-ctrl-policy* # disable cdp ucs-fi /eth-storage/nw-ctrl-policy* # exit ucs-fi /eth-storage* # exit ucs-fi* # commit-buffer ucs-fi#

CVEsCVE-2020-3120
Cisco Bug IDsCSCvr15024, CSCvr15073, CSCvr15078, CSCvr14976, CSCvr15079, CSCvr15072, CSCvr15082, CSCvr15111, CSCvr15083
CVSS ScoreBase 7.4
Base 7.4 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco IOS XR Software, Cisco Unified Computing System (Managed), Cisco NX-OS Software 6.0(2)A8(1), Cisco NX-OS Software 6.0(2)A8(2), Cisco NX-OS Software 6.0(2)A8(3), Cisco NX-OS Software 6.0(2)A8(4), Cisco NX-OS Software 6.0(2)A8(4a), Cisco NX-OS Software 6.0(2)A8(5), Cisco NX-OS Software 6.0(2)A8(6), Cisco NX-OS Software 6.0(2)A8(7), Cisco NX-OS Software 6.0(2)A8(7a), Cisco NX-OS Software 6.0(2)A8(7b), Cisco NX-OS Software 6.0(2)A8(8), Cisco NX-OS Software 6.0(2)A8(9), Cisco NX-OS Software 6.0(2)A8(10a), Cisco NX-OS Software 6.0(2)A8(10), Cisco NX-OS Software 6.0(2)A8(11), Cisco NX-OS Software 6.0(2)A8(11a), Cisco NX-OS Software 6.0(2)A8(11b), Cisco NX-OS Software 7.0(3)F3(1), Cisco NX-OS Software 7.0(3)F3(2), Cisco NX-OS Software 7.0(3)F3(3), Cisco NX-OS Software 7.0(3)F3(3a), Cisco NX-OS Software 7.0(3)F3(4), Cisco NX-OS Software 7.0(3)F3(3c), Cisco NX-OS Software 7.0(3)F3(5), Cisco NX-OS Software 7.0(3)I4(1), Cisco NX-OS Software 7.0(3)I4(2), Cisco NX-OS Software 7.0(3)I4(3), Cisco NX-OS Software 7.0(3)I4(4), Cisco NX-OS Software 7.0(3)I4(5), Cisco NX-OS Software 7.0(3)I4(6), Cisco NX-OS Software 7.0(3)I4(7), Cisco NX-OS Software 7.0(3)I4(8), Cisco NX-OS Software 7.0(3)I4(8a), Cisco NX-OS Software 7.0(3)I4(8b), Cisco NX-OS Software 7.0(3)I4(8z), Cisco NX-OS Software 7.0(3)I4(1t), Cisco NX-OS Software 7.0(3)I4(6t), Cisco NX-OS Software 7.0(3)I4(9), Cisco NX-OS Software 7.0(3)I5(1), Cisco NX-OS Software 7.0(3)I5(2), Cisco NX-OS Software 7.0(3)I5(3), Cisco NX-OS Software 7.0(3)I5(3a), Cisco NX-OS Software 7.0(3)I5(3b), Cisco NX-OS Software 7.0(3)I6(1), Cisco NX-OS Software 7.0(3)I6(2), Cisco NX-OS Software 7.0(3)I7(1), Cisco NX-OS Software 7.0(3)I7(2), Cisco NX-OS Software 7.0(3)I7(3), Cisco NX-OS Software 7.0(3)I7(4), Cisco NX-OS Software 7.0(3)I7(5), Cisco NX-OS Software 7.0(3)I7(5a), Cisco NX-OS Software 7.0(3)I7(3z), Cisco NX-OS Software 7.0(3)I7(6), Cisco NX-OS Software 7.0(3)I7(6z), Cisco NX-OS Software 7.0(3)I7(7), Cisco NX-OS Software 7.3(0)D1(1), Cisco NX-OS Software 7.3(0)DX(1), Cisco NX-OS Software 7.3(0)DY(1), Cisco NX-OS Software 7.3(0)N1(1), Cisco NX-OS Software 7.3(0)N1(1b), Cisco NX-OS Software 7.3(0)N1(1a), Cisco NX-OS Software 7.3(1)D1(1), Cisco NX-OS Software 7.3(1)DY(1), Cisco NX-OS Software 7.3(1)N1(1), Cisco NX-OS Software 7.3(2)D1(1), Cisco NX-OS Software 7.3(2)D1(2), Cisco NX-OS Software 7.3(2)D1(3), Cisco NX-OS Software 7.3(2)D1(3a), Cisco NX-OS Software 7.3(2)D1(1d), Cisco NX-OS Software 7.3(2)N1(1), Cisco NX-OS Software 7.3(2)N1(1b), Cisco NX-OS Software 7.3(2)N1(1c), Cisco NX-OS Software 7.3(3)N1(1), Cisco NX-OS Software 8.1(1), Cisco NX-OS Software 8.1(2), Cisco NX-OS Software 8.1(2a), Cisco NX-OS Software 8.1(1a), Cisco NX-OS Software 8.1(1b), Cisco NX-OS Software 8.2(1), Cisco NX-OS Software 8.2(2), Cisco NX-OS Software 8.2(3), Cisco NX-OS Software 8.2(4), Cisco NX-OS Software 8.3(1), Cisco NX-OS Software 8.3(2), Cisco NX-OS Software 9.2(1), Cisco NX-OS Software 9.2(2), Cisco NX-OS Software 9.2(2t), Cisco NX-OS Software 9.2(3), Cisco NX-OS Software 9.2(3y), Cisco NX-OS Software 9.2(4), Cisco NX-OS Software 9.2(2v), Cisco NX-OS Software 7.3(4)N1(1), Cisco NX-OS Software 7.3(4)N1(1a), Cisco NX-OS Software 7.3(3)D1(1), Cisco NX-OS Software 7.0(3)IA7(1), Cisco NX-OS Software 7.0(3)IA7(2), Cisco NX-OS Software 7.0(3)IM7(2), Cisco NX-OS Software 7.3(4)D1(1), Cisco NX-OS Software 7.3(5)N1(1), Cisco NX-OS Software 8.4(1), Cisco NX-OS Software 9.3(1), Cisco NX-OS Software 9.3(1z), Cisco Firepower Extensible Operating System (FXOS) 2.0.1.68, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.201, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.86, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.37, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.135, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.141, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.144, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.148, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.149, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.153, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.159, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.188, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.203, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.204, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.206, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.64, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.73, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.77, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.83, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.85, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.86, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.97, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.106, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.107, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.113, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.115, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.116, Cisco Firepower Extensible Operating System (FXOS) 1.1.1.147, Cisco Firepower Extensible Operating System (FXOS) 1.1.1.160, Cisco Firepower Extensible Operating System (FXOS) 1.1.2.51, Cisco Firepower Extensible Operating System (FXOS) 1.1.2.178, Cisco Firepower Extensible Operating System (FXOS) 1.1.3.84, Cisco Firepower Extensible Operating System (FXOS) 1.1.3.86, Cisco Firepower Extensible Operating System (FXOS) 1.1.3.97, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.95, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.117, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.140, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.169, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.175, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.178, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.179, Cisco Firepower Extensible Operating System (FXOS) 2.2.1.63, Cisco Firepower Extensible Operating System (FXOS) 2.2.1.66, Cisco Firepower Extensible Operating System (FXOS) 2.2.1.70, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.17, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.19, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.24, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.26, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.28, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.54, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.60, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.71, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.83, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.86, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.91, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.97, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.101, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.99, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.93, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.91, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.88, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.75, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.73, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.66, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.58, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.130, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.111, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.110, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.144, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.145, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.155, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.166, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.101, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.214, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.222, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.234, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.238, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.244, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.249, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.252, Cisco Firepower Extensible Operating System (FXOS) 2.6.1.131, Cisco Firepower Extensible Operating System (FXOS) 2.6.1.157, Cisco Firepower Extensible Operating System (FXOS) 2.6.1.166, Cisco Firepower Extensible Operating System (FXOS) 2.6.1.169, Cisco Firepower Extensible Operating System (FXOS) 2.6.1.174, Cisco Firepower Extensible Operating System (FXOS) 2.7.1.92, Cisco Firepower Extensible Operating System (FXOS) 2.7.1.98, Cisco NX-OS System Software in ACI Mode 13.2(1l), Cisco NX-OS System Software in ACI Mode 13.2(1m), Cisco NX-OS System Software in ACI Mode 13.2(2l), Cisco NX-OS System Software in ACI Mode 13.2(2o), Cisco NX-OS System Software in ACI Mode 13.2(3i), Cisco NX-OS System Software in ACI Mode 13.2(3n), Cisco NX-OS System Software in ACI Mode 13.2(3o), Cisco NX-OS System Software in ACI Mode 13.2(3r), Cisco NX-OS System Software in ACI Mode 13.2(4d), Cisco NX-OS System Software in ACI Mode 13.2(4e), Cisco NX-OS System Software in ACI Mode 13.2(3j), Cisco NX-OS System Software in ACI Mode 13.2(3s), Cisco NX-OS System Software in ACI Mode 13.2(5d), Cisco NX-OS System Software in ACI Mode 13.2(5e), Cisco NX-OS System Software in ACI Mode 13.2(5f), Cisco NX-OS System Software in ACI Mode 13.2(6i), Cisco NX-OS System Software in ACI Mode 13.2(41d), Cisco NX-OS System Software in ACI Mode 13.2(7f), Cisco NX-OS System Software in ACI Mode 13.2(7k), Cisco NX-OS System Software in ACI Mode 14.0(1h), Cisco NX-OS System Software in ACI Mode 14.0(2c), Cisco NX-OS System Software in ACI Mode 14.0(3d), Cisco NX-OS System Software in ACI Mode 14.0(3c), Cisco NX-OS System Software in ACI Mode 14.1(1i), Cisco NX-OS System Software in ACI Mode 14.1(1j), Cisco NX-OS System Software in ACI Mode 14.1(1k), Cisco NX-OS System Software in ACI Mode 14.1(1l), Cisco NX-OS System Software in ACI Mode 14.1(2g), Cisco NX-OS System Software in ACI Mode 14.1(2m), Cisco NX-OS System Software in ACI Mode 14.1(2o), Cisco NX-OS System Software in ACI Mode 14.1(2s), Cisco NX-OS System Software in ACI Mode 14.1(2u), Cisco NX-OS System Software in ACI Mode 14.1(2w), Cisco NX-OS System Software in ACI Mode 14.2(1i), Cisco Firepower Extensible Operating System (FXOS), Cisco NX-OS Software, Cisco NX-OS System Software in ACI Mode, Cisco MDS 9000 Multilayer Directors and Fabric Switches, Cisco Nexus 7000 Series Switches, Cisco Nexus 5000 Series Switches, Cisco Nexus 3000 Series Switches, Cisco Nexus 6000 Series Switches, Cisco Nexus 9000 Series Switches

Related Products

Product CVE Evidence
Firepower Extensible Operating System CVE-2020-3120 Cisco OpenVuln
Cisco Unified Computing System (Managed) CVE-2020-3120 Cisco OpenVuln
Cisco Nexus 9000 Series Switches CVE-2020-3120 Cisco OpenVuln
Cisco Nexus 7000 Series Switches CVE-2020-3120 Cisco OpenVuln
Cisco Nexus 6000 Series Switches CVE-2020-3120 Cisco OpenVuln
Cisco Nexus 5000 Series Switches CVE-2020-3120 Cisco OpenVuln
Cisco Nexus 3000 Series Switches CVE-2020-3120 Cisco OpenVuln
Cisco Nexus 3000 Series Switch CVE-2020-3120 Cisco OpenVuln
Cisco NX-OS System Software in ACI Mode CVE-2020-3120 Cisco OpenVuln
Cisco NX-OS Software CVE-2020-3120 Cisco OpenVuln
Cisco MDS 9000 Multilayer Directors and Fabric Switches CVE-2020-3120 Cisco OpenVuln
Cisco IOS XR Software CVE-2020-3120 Cisco OpenVuln
Cisco IOS CVE-2020-3120 Cisco OpenVuln
Cisco Firepower Extensible Operating System (FXOS) CVE-2020-3120 Cisco OpenVuln
Cisco Firepower Extensible Operating System CVE-2020-3120 Cisco OpenVuln