Cybersecurity provider Armis Security Inc. has discovered critical vulnerabilities in a Cisco Systems Inc. networking protocol that could enable hackers to target tens of millions of enterprise devices worldwide, from data center switches to conference phones.

The flaws were disclosed today just as Cisco started releasing fixes for its devices. But it may take some time before enterprises are fully protected, since many of the vulnerable systems don’t have an automatic patching mechanism and need to be updated manually.

The flaws, collectively dubbed CDPwn by Armis, lurk in a piece of software called the Cisco Discovery Protocol. It’s a technology that according to Armis ships with “virtually” all Cisco hardware and is used by administrators to identify devices on the corporate network. The newly disclosed flaws enable hackers to exploit the protocol in order to hijack those very same Cisco devices.

“Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities while one is a Denial of Service (DoS) vulnerability,” Armis researchers detailed in an report today. And all five follow the same basic pattern when it comes to the method of exploitation

Corporate networks are typically divided into segments that are isolated from one another to keep important hardware secure. A common practice is to attach company-owned devices such as workstations to one segment and less secure devices, for instance employee-owned phones, to another. In a network vulnerable to CDPwn, a hacker would need to gain control of just one  insecure employee phone or other poorly-configured device to launch attacks. 

The exploit involves sending a malicious packet over the Cisco Discovery Protocol to the target device. One scenario Armis warns of is an attack wherein which hackers breach the switch that controls a network in order to gain full access to data traffic and jump between segments. 

“The switch is in a prime position to eavesdrop on network traffic that traverses through the switch, and it can even be used to launch man-in-the-middle attacks on the traffic of devices that traverses through the switch,” Armis’ researchers wrote. “Additionally, a switch is the ultimate hiding position for an attacker — it is a relatively unsecured device, that doesn’t allow any security agent on it.”

On top of backend network devices, Cisco IP phones and surveillance cameras are vulnerable as well, which means that a hacker could potentially exploit CDPwn to spy on sensitive conversations.  

“Unlike switches, these devices hold sensitive data directly, and the reason to take them over can be a goal of an attacker, and not merely a way to break out of segmentation,” the researchers explained.

Other affected products include Cisco firewall appliances and routers. The exact number of devices deployed in the field that are vulnerable might difficult to assess, but on the positive side, the networking giant said that it has not yet detected any attempts to exploit the flaws. “We are not aware of any malicious use of the described vulnerabilities,” a company spokesperson said. 

Photo: Cisco