Vulnslist

Cisco product, release, and evidence lookup

Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability

cisco-sa-20200205-nxos-cdp-rce · High · Published · Updated

Data: Cisco advisories · Cisco CSAF · NVD CVEs · NVD CPEs · CISA KEV · EPSS

A vulnerability in the Cisco Discovery Protocol implementation for Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability exists because the Cisco Discovery Protocol parser does not properly validate input for certain fields in a Cisco Discovery Protocol message. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. An successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability.
However, customers who do not use Cisco Discovery Protocol can disable it either globally to fully close the attack vector or on individual interfaces to reduce the attack surface. Disable Cisco Discovery Protocol Globally on Cisco Nexus Switches That Are Running Cisco NX-OS Software
To disable Cisco Discovery Protocol globally on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in global configuration mode, as shown in the following example:

nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z.
nxos(config)# no cdp enable
nxos(config)# end
nxos# copy running-config startup-config
[########################################] 100%
Copy complete.
Disable Cisco Discovery Protocol on an Interface on Cisco Nexus Switches That Are Running Cisco NX-OS Software
To disable Cisco Discovery Protocol on an interface on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in interface configuration mode, as shown in the following example:

nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z.
nxos(config)# interface Ethernet1/1
nxos(config-if)# no cdp enable
nxos(config-if)# end
nxos# copy running-config startup-config
[########################################] 100%
Copy complete.

CVEsCVE-2020-3119
Cisco Bug IDsCSCvr09175 , CSCvr09531
CVSS ScoreBase 8.8
Base 8.8 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Products with public affected evidence

Product CVE Affected evidence
Cisco Nexus 3000 Series Switches CVE-2020-3119 structured affected CSAF product_status
Cisco Nexus 9000 Series Switches CVE-2020-3119 structured affected CSAF product_status