Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0424.10 Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability 21 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco NX-OS Cisco IOS XR Cisco FXOS Cisco IP Phone Cisco Video Surveillance 8000 Series IP Camera Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-3120 CVE-2020-3119 CVE-2020-3118 CVE-2020-3111 CVE-2020-3110 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-voip-phones-rce-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-ipcameras-rce-dos Revision History: October 21 2020: Vendor updated cisco-sa-20200205-iosxr-cdp-rce confirming exploits observed February 25 2020: Vendor updated fixed software details in advisory cisco-sa-20200205-fxnxos-iosxr-cdp-dos February 21 2020: Vendor updated advisory: cisco-sa-20200205-voip-phones-rce-dos February 17 2020: Vendor updated advisories cisco-sa-20200205-nxos-cdp-rce and cisco-sa-20200205-voip-phones-rce-dos - re list of not vulnerable products and available fixes February 13 2020: Revised cisco-sa-20200205-nxos-cdp-rce to version 1.3: Updated that Cisco UCS Fabric Interconnects are not vulnerable February 12 2020: Revised Advisory cisco-sa-20200205-nxos-cdp-rce to version 1.2 : Updated Information on Nexus 3000 and 9000 series switches February 12 2020: CVE-2020-3118- Revised to version 1.1; Added the Cisco Unified IP Phone 7900 as not vulnerable February 10 2020: Advisory "fxnxos-iosxr-cdp-dos" revised to version 1.2; removed FXOS 2.5 and updated Vulnerable Products and Workarounds sections. February 7 2020: cisco-sa-20200205-nxos-cdp-rce: Corrected information on Cisco UCS Fabric Interconnects cisco-sa-20200205-fxnxos-iosxr-cdp-dos: Corrected information on Cisco FXOS and Cisco UCS Fabric Interconnects February 6 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability Priority: High Advisory ID: cisco-sa-20200205-nxos-cdp-rce First Published: 2020 February 5 16:00 GMT Last Updated: 2020 February 14 20:08 GMT Version 1.4: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvr09175CSCvr09531 CVE-2020-3119 CWE-787 CVSS Score: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Cisco Discovery Protocol implementation for Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability exists because the Cisco Discovery Protocol parser does not properly validate input for certain fields in a Cisco Discovery Protocol message. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. An successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200205-nxos-cdp-rce Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they have Cisco Discovery Protocol enabled both globally and on at least one interface and if they are running a vulnerable release of Cisco NX-OS Software: Nexus 3000 Series Switches Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode Nexus 9000 Series Switches in standalone NX-OS mode Note: Cisco Discovery Protocol is enabled on these products by default both globally and on all interfaces. For information about which Cisco NX-OS Software releases are vulnerable, see the Fixed Software section of this advisory. Determine the Status of Cisco Discovery Protocol for Cisco Nexus Switches That Are Running Cisco NX-OS Software Administrators can determine whether Cisco Discovery Protocol is enabled on a device by using the show running-config cdp all | include "cdp enable" command in the device CLI. If the command returns at least the following lines, Cisco Discovery Protocol is enabled globally and on at least one interface: nxos# show running-config cdp all | include "cdp enable" cdp enable cdp enable Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Firepower 1000 Series Firepower 2100 Series Firepower 4100 Series Firepower 9300 Security Appliances MDS 9000 Series Multilayer Switches Nexus 1000 Virtual Edge for VMware vSphere Nexus 1000V Switch for Microsoft Hyper-V Nexus 1000V Switch for VMware vSphere Nexus 5500 Platform Switches ^ 1 Nexus 5600 Platform Switches ^ 1 Nexus 6000 Series Switches ^ 1 Nexus 7000 Series Switches UCS 6200 Series Fabric Interconnects ^ 1 UCS 6300 Series Fabric Interconnects ^ 1 UCS 6400 Series Fabric Interconnects ^ 1 1. Earlier versions of this security advisory reported Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, and UCS 6200 Series, 6300 Series, and 6400 Series Fabric Interconnects as affected by this vulnerability. This information was incorrect. Cisco has also confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software. Workarounds o There are no workarounds that address this vulnerability. However, customers who do not use Cisco Discovery Protocol can disable it either globally to fully close the attack vector or on individual interfaces to reduce the attack surface. Disable Cisco Discovery Protocol Globally on Cisco Nexus Switches That Are Running Cisco NX-OS Software To disable Cisco Discovery Protocol globally on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in global configuration mode, as shown in the following example: nxos# conf t Enter configuration commands, one per line. End with CNTL/Z. nxos(config)# no cdp enable nxos(config)# end nxos# copy running-config startup-config [########################################] 100% Copy complete. Disable Cisco Discovery Protocol on an Interface on Cisco Nexus Switches That Are Running Cisco NX-OS Software To disable Cisco Discovery Protocol on an interface on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in interface configuration mode, as shown in the following example: nxos# conf t Enter configuration commands, one per line. End with CNTL/Z. nxos(config)# interface Ethernet1/1 nxos(config-if)# no cdp enable nxos(config-if)# end nxos# copy running-config startup-config [########################################] 100% Copy complete. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCvr09175 Cisco NX-OS Software Release First Fixed Release for This Vulnerability Earlier than 7.0(3)I7 Not vulnerable 7.0(3)I7 7.0(3)I7(8) (Feb 2020) or appropriate SMU ^1 7.0(3)F ^2 Not vulnerable 9.2 9.3(2) 9.3 9.3(2) 1. The SMUs that are available for Cisco NX-OS Software releases 7.0(3)I7 (5a), 7.0(3)I7(6), and 7.0(3)I7(7) fix this vulnerability (CSCvr09175). They also fix the vulnerability (CSCvr14976) that is described in the advisory Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability . The SMU filename follow this format: CSCvr09175-n9k_ALL-1.0.0-<nx-os_release>.lib32_n9000.rpm . 2. The Cisco NX-OS Software 7.0(3)F train runs only on Cisco Nexus 3600 Platform Switches and the Nexus 9500 R-Series Switching Platform and is no longer maintained. Customers are advised to migrate to Cisco NX-OS Software Release 9.2 or later. SMU Installation Instructions To download the SMUs from the Software Center on Cisco.com, do the following: 1. Click Browse All . 2. Choose IOS and NX-OS Software > NX-OS > NX-OS Software > Switches > Data Center Switches . 3. Choose the appropriate product and model. 4. Choose NX-OS Software Maintenance Upgrades (SMU) . 5. Choose a release from the left pane of the appropriate product page. Note: The SMU filename follow this format: CSCvr09175-n9k_ALL-1.0.0- <NX-OS_Release>.lib32_n9000.rpm . For example, the SMU filename for Cisco NX-OS Software Release 7.0(3)I7(6) is CSCvr09175-n9k_ALL-1.0.0-7.0.3.I7.6.lib32_n9000.rpm . To install the appropriate SMU, copy the SMU to the Bootflash: file system for the switch and execute the following commands, which activate the fix right away (this is a hot patch): 1. install add bootflash:<SMU_filename> activate 2. install commit The following example shows the commands for installing the SMU for Cisco NX-OS Software Release 7.0(3)I7(6): nx-os# install add bootflash:CSCvr09175-n9k_ALL-1.0.0-7.0.3.I7.6.lib32_n9000.rpm activate nx-os# install commit Note: These instructions apply to only this particular type of SMU. Nexus 9000 Series Fabric Switches in ACI Mode: CSCvr09531 Cisco NX-OS Software Release First Fixed Release for This Vulnerability Earlier than 13.1 Not vulnerable 13.1 Not vulnerable 13.2 Not vulnerable 14.0 14.2(1j) 14.1 14.2(1j) 14.2 14.2(1j) Additional Resources For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, administrators can refer to the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco MDS Series Switches Cisco Nexus 1000V for VMware Switch Cisco Nexus 3000 Series Switches Cisco Nexus 5500 Platform Switches Cisco Nexus 5600 Platform Switches Cisco Nexus 6000 Series Switches Cisco Nexus 7000 Series Switches Cisco Nexus 9000 Series Switches Cisco Nexus 9000 Series ACI-Mode Switches To determine the best release for Cisco UCS, see the Recommended Releases documents in the release notes for the device. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware of public announcements about this vulnerability. Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Barak Hadad of Armis for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200205-nxos-cdp-rce Revision History o +---------+--------------------+--------------+--------+------------------+ | Version | Description | Section | Status | Date | +---------+--------------------+--------------+--------+------------------+ | | Updated that Cisco | | | | | | Nexus 5500 | Vulnerable | | | | | Platform Switches, | Products, | | | | | Nexus 5600 | Products | | | | 1.4 | Platform Switches | Confirmed | Final | 2020-February-14 | | | and Nexus 6000 | Not | | | | | Series Switches | Vulnerable, | | | | | are not affected | Fixed | | | | | by this | Software | | | | | vulnerability. | | | | +---------+--------------------+--------------+--------+------------------+ | | | Vulnerable | | | | | Updated that Cisco | Products, | | | | | UCS Fabric | Products | | | | | Interconnects are | Confirmed | | | | 1.3 | not affected by | Not | Final | 2020-February-12 | | | this | Vulnerable, | | | | | vulnerability. | Workarounds, | | | | | | Fixed | | | | | | Software | | | +---------+--------------------+--------------+--------+------------------+ | | Updated | | | | | | information on | | | | | | vulnerable | | | | | 1.2 | releases for Nexus | Fixed | Final | 2020-February-11 | | | 3000 Series | Software | | | | | Switches and Nexus | | | | | | 9000 Series | | | | | | Switches. | | | | +---------+--------------------+--------------+--------+------------------+ | | Corrected | | | | | | information around | | | | | | when Cisco UCS | | | | | | Fabric | Vulnerable | | | | 1.1 | Interconnects are | Products, | Final | 2020-February-06 | | | vulnerable and | Workarounds | | | | | mitigation options | | | | | | for Cisco UCS | | | | | | Fabric | | | | | | Interconnects. | | | | +---------+--------------------+--------------+--------+------------------+ | 1.0 | Initial public | - | Final | 2020-February-05 | | | release. | | | | +---------+--------------------+--------------+--------+------------------+ - -------------------------------------------------------------------------------- Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20200205-fxnxos-iosxr-cdp-dos First Published: 2020 February 5 16:00 GMT Last Updated: 2020 February 21 20:46 GMT Version 1.3: Interim Workarounds: No workarounds availableCisco Bug IDs: CSCvr14976 CSCvr15024 CSCvr15072 CSCvr15073CSCvr15078 CSCvr15079 CSCvr15082 CSCvr15083CSCvr15111 CVE-2020-3120 CWE-190 CVSS Score: 7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Cisco Discovery Protocol implementation for Cisco FXOS Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to a missing check when the affected software processes Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to exhaust system memory, causing the device to reload. Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200205-fxnxos-iosxr-cdp-dos Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they have Cisco Discovery Protocol enabled both globally and on at least one interface and if they are running a vulnerable release of Cisco FXOS, IOS XR (32-bit or 64-bit), or NX-OS Software: ASR 9000 Series Aggregation Services Routers Carrier Routing System (CRS) Firepower 4100 Series Firepower 9300 Security Appliances IOS XRv 9000 Router MDS 9000 Series Multilayer Switches Network Convergence System (NCS) 540 Series Routers Network Convergence System (NCS) 560 Series Routers Network Convergence System (NCS) 1000 Series Network Convergence System (NCS) 5000 Series Network Convergence System (NCS) 5500 Series Network Convergence System (NCS) 6000 Series Nexus 1000 Virtual Edge for VMware vSphere Nexus 1000V Switch for Microsoft Hyper-V Nexus 1000V Switch for VMware vSphere Nexus 3000 Series Switches Nexus 5500 Platform Switches Nexus 5600 Platform Switches Nexus 6000 Series Switches Nexus 7000 Series Switches Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode Nexus 9000 Series Switches in standalone NX-OS mode UCS 6200 Series Fabric Interconnects UCS 6300 Series Fabric Interconnects UCS 6400 Series Fabric Interconnects This vulnerability also affects third-party white box routers if they have Cisco Discovery Protocol enabled both globally and on at least one interface and if they are running a vulnerable release of Cisco IOS XR Software. Note: Cisco Discovery Protocol is disabled by default in Cisco IOS XR Software. Cisco Discovery Protocol is enabled by default both globally and on all interfaces in Cisco FXOS and NX-OS Software. For information about which Cisco FXOS, IOS XR, and NX-OS Software releases are vulnerable, see the Fixed Software section of this advisory. Determine the Status of Cisco Discovery Protocol for Cisco FXOS Software Cisco Discovery Protocol is always enabled on the management (mgmt0) port. In Cisco FXOS Software releases earlier than 2.1, Cisco Discovery Protocol is always enabled on all front-panel ports as well. Determine the Status of Cisco Discovery Protocol for Cisco IOS XR Software Administrators can determine whether Cisco Discovery Protocol is enabled on a device by using the show running-config | include cdp command in the device CLI. If the command returns at least the following lines, Cisco Discovery Protocol is enabled globally and on at least one interface: RP/0/RP0/CPU0:ios#show running-config | include cdp Mon Dec 2 17:00:27.921 UTC Building configuration... cdp cdp . . . Determine the Status of Cisco Discovery Protocol on Cisco Nexus Switches That Are Running Cisco NX-OS Software Administrators can determine whether Cisco Discovery Protocol is enabled on a device by using the show running-config cdp all | include "cdp enable" command in the device CLI. If the command returns at least the following lines, Cisco Discovery Protocol is enabled globally and on at least one interface: nxos# show running-config cdp all | include "cdp enable" cdp enable cdp enable Determine the Status of Cisco Discovery Protocol on Cisco UCS Fabric Interconnects Cisco Discovery Protocol is always enabled on Ethernet uplink ports (network interfaces that connect to upstream switches for network connectivity), Ethernet port channel members, FCoE uplink ports, and management ports. Administrators can determine whether Cisco Discovery Protocol is also enabled on server ports (interfaces that are presented to the servers in the Cisco UCS Manager domain) and appliance ports (interfaces that connect to directly attached NFS storage) on a device by using the show configuration | egrep "^ scope|enable cdp" command in the device CLI. If the command returns the enable cdp command under the org scope, Cisco Discovery Protocol is enabled on server ports, and if the command returns enable cdp under the eth-storage scope, Cisco Discovery Protocol is enabled on appliance ports, as shown in the following example: ucs-fi# show configuration | egrep "^ scope|enable cdp" . . . scope org enable cdp . . . scope eth-storage enable cdp . . . Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Firepower 1000 Series Firepower 2100 Series Network Convergence System (NCS) 520 Series Routers Cisco has also confirmed that this vulnerability does not affect Cisco IOS Software or Cisco IOS XE Software. Workarounds o There are no workarounds that address this vulnerability. However, customers who do not use the Cisco Discovery Protocol feature can disable it either globally to fully close the attack vector or on individual interfaces to reduce the attack surface. Disable Cisco Discovery Protocol in Cisco FXOS Software Cisco Discovery Protocol is always enabled and cannot be disabled in Cisco FXOS Software. In Cisco FXOS Software releases 2.1 and later, Cisco Discovery Protocol is enabled on the management (mgmt0) port only. Disable Cisco Discovery Protocol Globally in Cisco IOS XR Software To disable Cisco Discovery Protocol globally on devices running Cisco IOS XR Software, administrators can use the no cdp command in global configuration mode, as shown in the following example: RP/0/RP0/CPU0:ios#conf t Mon Dec 2 17:58:08.556 UTC RP/0/RP0/CPU0:ios(config)#no cdp RP/0/RP0/CPU0:ios(config)#exit Uncommitted changes found, commit them before exiting(yes/no/cancel) [cancel]:yes Disable Cisco Discovery Protocol on an Interface in Cisco IOS XR Software To disable Cisco Discovery Protocol a particular interface on a particular device that is running Cisco IOS XR Software, administrators can use the no cdp command in interface configuration mode, as shown in the following example: RP/0/RP0/CPU0:ios#conf t Mon Dec 2 18:00:08.622 UTC RP/0/RP0/CPU0:ios(config)#interface GigabitEthernet0/0/0/0 RP/0/RP0/CPU0:ios(config-if)#no cdp RP/0/RP0/CPU0:ios(config-if)#end Uncommitted changes found, commit them before exiting(yes/no/cancel) [cancel]:yes Disable Cisco Discovery Protocol Globally on Cisco Nexus Switches That Are Running Cisco NX-OS Software To disable Cisco Discovery Protocol globally on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in global configuration mode, as shown in the following example: nxos# conf t Enter configuration commands, one per line. End with CNTL/Z. nxos(config)# no cdp enable nxos(config)# end nxos# copy running-config startup-config [########################################] 100% Copy complete. Disable Cisco Discovery Protocol on an Interface on Cisco Nexus Switches That Are Running Cisco NX-OS Software To disable Cisco Discovery Protocol on an interface on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in interface configuration mode, as shown in the following example: nxos# conf t Enter configuration commands, one per line. End with CNTL/Z. nxos(config)# interface Ethernet1/1 nxos(config-if)# no cdp enable nxos(config-if)# end nxos# copy running-config startup-config [########################################] 100% Copy complete. Disable Cisco Discovery Protocol on Cisco UCS Fabric Interconnects Cisco Discovery Protocol cannot be disabled completely on Cisco UCS Fabric Interconnects. Cisco Discovery Protocol can be disabled on server ports and appliance ports on Cisco UCS Fabric Interconnects, but it cannot be disabled on Ethernet uplink ports, Ethernet port channel members, FCoE uplink ports, or management ports. To disable Cisco Discovery Protocol on the server ports of a Cisco UCS Fabric Interconnect, administrators can use the disable cdp command in the default nw-ctrl-policy in the org scope, as shown in the following example: ucs-fi# scope org ucs-fi /org # enter nw-ctrl-policy default ucs-fi /org/nw-ctrl-policy # disable cdp ucs-fi /org/nw-ctrl-policy* # exit ucs-fi /org* # exit ucs-fi* # commit-buffer ucs-fi# To disable Cisco Discovery Protocol on the appliance ports of a Cisco UCS Fabric Interconnect, administrators can use the disable cdp command in the default nw-ctrl-policy in the eth-storage scope, as shown in the following example: ucs-fi* # scope eth-storage ucs-fi /eth-storage* # enter nw-ctrl-policy default ucs-fi /eth-storage/nw-ctrl-policy* # disable cdp ucs-fi /eth-storage/nw-ctrl-policy* # exit ucs-fi /eth-storage* # exit ucs-fi* # commit-buffer ucs-fi# Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. Firepower 4100 Series and Firepower 9300 Security Appliances: CSCvr15083 Cisco FXOS Software Release First Fixed Release for This Vulnerability Earlier than 2.2 Migrate to a fixed release 2.2 Migrate to a fixed release 2.3 2.3.1.173 2.4 Release no. TBD (May 2020) 2.6 2.6.1.187 2.7 2.7.1.106 Note: In Cisco FXOS Software releases 2.1 and later, this vulnerability is exploitable only via the management (mgmt0) port. In these releases Cisco Discovery Protocol is never actually enabled on front-panel ports, even if it is configured. IOS XR Software: CSCvr15024 Cisco IOS XR Software Release First Fixed Release for This Vulnerability Earlier than 6.6 Appropriate SMU 6.6 ^1 6.6.3 or appropriate SMU 7.0 7.0.2 (Mar 2020) or appropriate SMU 7.1 Not vulnerable 1. Customers who are running Cisco IOS XR Software Release 6.6 on white box routers are advised to upgrade to Release 6.6.12 and then install the software maintenance upgrade (SMU). Customers who are running Cisco IOS XR Software Release 6.6 on other platforms are advised to upgrade to Cisco IOS XR Software Release 6.6.3. The following SMUs are also available for Cisco IOS XR Software: Cisco IOS XR Software Release Platform SMU Name 5.2.5 NCS6K ncs6k-5.2.5.CSCvr78185 6.4.2 ASR9K-PX asr9k-px-6.4.2.CSCvr78185 CRS-PX hfr-px-6.4.2.CSCvr78185 ASR9K-PX asr9k-px-6.5.3.CSCvr78185 ASR9K-X64 asr9k-x64-6.5.3.CSCvr78185 NCS540 ncs540-6.5.3.CSCvr78185 6.5.3 NCS560 ncs560-6.6.25.CSCvr78185 NCS5K ncs5k-6.5.3.CSCvr78185 NCS5500 ncs5500-6.5.3.CSCvr78185 XRV9K xrv9k-6.5.3.CSCvr78185 6.6.12 White box iosxrwbd-6.6.12.CSCvr78185 6.6.25 NCS560 ncs560-6.6.25.CSCvr78185 7.0.1 NCS540L ncs540l-7.0.1.CSCvr78185 For details on where to download and how to install SMUs in Cisco IOS XR Software, see the IOS XR Software Maintenance Updates (SMUs) guide . MDS 9000 Series Multilayer Switches: CSCvr15073 Cisco NX-OS Software Release First Fixed Release for This Vulnerability 5.2 6.2(29) 6.2 6.2(29) 7.3 8.4(1a) 8.1 8.4(1a) 8.2 8.4(1a) 8.3 8.4(1a) 8.4 8.4(1a) Nexus 1000 Virtual Edge for VMware vSphere: CSCvr15078 Cisco NX-OS Software Release First Fixed Release for This Vulnerability 5.2 5.2(1)SV5(1.3) Nexus 1000V Switch for Microsoft Hyper-V: CSCvr15078 Cisco NX-OS Software Release First Fixed Release for This Vulnerability Earlier than 5.2 No fix available ^1 5.2 No fix available ^1 1. Cisco Nexus 1000V Switch for Microsoft Hyper-V has reached end of software maintenance. Nexus 1000V Switch for VMware vSphere: CSCvr15078 Cisco NX-OS Software Release First Fixed Release for This Vulnerability Earlier than 5.2 5.2(1)SV3(4.1b) 5.2 5.2(1)SV3(4.1b) Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCvr14976 Cisco NX-OS Software Release First Fixed Release for This Vulnerability Earlier than 7.0(3)I 7.0(3)I7(8) (Feb 2020) or appropriate SMU ^1 7.0(3)I 7.0(3)I7(8) (Feb 2020) or appropriate SMU ^1 7.0(3)F ^2 9.3(2) 9.2 9.3(2) 9.3 9.3(2) 1. The SMUs that are available for Cisco NX-OS Software releases 7.0(3)I7 (5a), 7.0(3)I7(6), and 7.0(3)I7(7) fix this vulnerability (CSCvr14976). They also fix the vulnerability (CSCvr09175) that is described in the advisory Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability . The SMU filenames follow this format: CSCvr09175-n9k_ALL-1.0.0-<NX-OS_Release>.lib32_n9000.rpm . 2. The Cisco NX-OS Software 7.0(3)F train runs on only Cisco Nexus 3600 Platform Switches and Cisco Nexus 9500 R-Series Switching Platform and is no longer maintained. Customers are advised to migrate to Cisco NX-OS Software releases 9.2 or later. SMU Installation Instructions To download SMUs from the Software Center on Cisco.com, do the following: 1. Click Browse All . 2. Choose IOS and NX-OS Software > NX-OS > NX-OS Software > Switches > Data Center Switches . 3. Choose the appropriate product and model. 4. Choose NX-OS Software Maintenance Upgrades (SMU) . 5. Choose a release from the left pane of the appropriate product page. Note: The SMU filenames follow this format: CSCvr09175-n9k_ALL-1.0.0- <NX-OS_Release>.lib32_n9000.rpm . For example, the SMU filename for Cisco NX-OS Software Release 7.0(3)I7(6) is CSCvr09175-n9k_ALL-1.0.0-7.0.3.I7.6.lib32_n9000.rpm . To install the appropriate SMU, copy the SMU to the Bootflash: file system for the switch and execute the following commands, which activate the fix (this is a hot patch): 1. install add bootflash:<SMU_filename> activate 2. install commit The following example shows the commands for installing the SMU for Cisco NX-OS Software Release 7.0(3)I7(6): nx-os# install add bootflash:CSCvr09175-n9k_ALL-1.0.0-7.0.3.I7.6.lib32_n9000.rpm activate nx-os# install commit Note: These instructions apply to only this particular type of SMU. Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches: CSCvr15079 Cisco NX-OS Software Release First Fixed Release for This Vulnerability Earlier than 7.1 7.3(6)N1(1) 7.1 7.3(6)N1(1) 7.3 7.3(6)N1(1) Nexus 7000 Series Switches: CSCvr15073 Cisco NX-OS Software Release First Fixed Release for This Vulnerability Earlier than 6.2 6.2(24) 6.2 6.2(24) 7.2 7.3(5)D1(1) 7.3 7.3(5)D1(1) 8.0 8.2(5) 8.1 8.2(5) 8.2 8.2(5) 8.3 8.4(2) (Mar 2020) or appropriate SMU ^1 8.4 8.4(2) (Mar 2020) or appropriate SMU ^1 1. The following SMUs are available for Cisco NX-OS Software Release 8.4 (1): n7000-s2-dk9.8.4.1.CSCvs27997.bin, n7700-s2-dk9.8.4.1.CSCvs27997.bin, and n7700-s3-dk9.8.4.1.CSCvs27997.bin. Customers who are running a Cisco NX-OS Software 8.3 release are advised to upgrade to Cisco NX-OS Software Release 8.4(1) and then apply the appropriate SMU. For details on where to download and how to install SMUs in Cisco NX-OS Software for Cisco Nexus 7000 Series Switches, see the Performing Software Maintenance Upgrades chapter of the Cisco Nexus 7000 Series NX-OS System Management Configuration Guide . Nexus 9000 Series Fabric Switches in ACI Mode: CSCvr15072 Cisco NX-OS Software Release First Fixed Release for This Vulnerability Earlier than 13.1 13.2(9b) 13.1 13.2(9b) 13.2 13.2(9b) 14.0 14.2(1j) 14.1 14.2(1j) 14.2 14.2(1j) UCS 6200, 6300, and 6400 Series Fabric Interconnects: CSCvr15082 and CSCvr15111 Cisco UCS Software Release First Fixed Release for This Vulnerability Earlier than 3.2 3.2(3n) 3.2 3.2(3n) 4.0 4.0(4g) Additional Resources For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, administrators can refer to the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco MDS Series Switches Cisco Nexus 1000V for VMware Switch Cisco Nexus 3000 Series Switches Cisco Nexus 5500 Platform Switches Cisco Nexus 5600 Platform Switches Cisco Nexus 6000 Series Switches Cisco Nexus 7000 Series Switches Cisco Nexus 9000 Series Switches Cisco Nexus 9000 Series ACI-Mode Switches To determine the best release for Cisco UCS, see the Recommended Releases documents in the release notes for the device. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware of public announcements about the vulnerability that is described in this advisory. Cisco PSIRT is not aware of any malicious use of this vulnerability. Source o Cisco would like to thank Barak Hadad of Armis for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200205-fxnxos-iosxr-cdp-dos Revision History o +---------+-------------------+--------------+---------+------------------+ | Version | Description | Section | Status | Date | +---------+-------------------+--------------+---------+------------------+ | | Updated available | Fixed | | | | 1.3 | first fixed | Software | Interim | 2020-February-21 | | | releases tables. | | | | +---------+-------------------+--------------+---------+------------------+ | | Removed FXOS 2.5 | | | | | | which does not | Vulnerable | | | | | exist. Updated | Products, | | | | 1.2 | FXOS CDP | Workarounds, | Interim | 2020-February-07 | | | information under | Fixed | | | | | Vulnerable | Software | | | | | Products and | | | | | | Workarounds. | | | | +---------+-------------------+--------------+---------+------------------+ | | Corrected | | | | | | information | | | | | | around when Cisco | | | | | | FXOS and Cisco | | | | | | UCS Fabric | | | | | | Interconnects are | | | | | | vulnerable, | | | | | | mitigation | Vulnerable | | | | | options for Cisco | Products, | | | | 1.1 | FXOS and Cisco | Workarounds, | Interim | 2020-February-06 | | | UCS Fabric | Fixed | | | | | Interconnects and | Software | | | | | vulnerable and | | | | | | first fixed | | | | | | releases for | | | | | | Cisco FXOS and | | | | | | Cisco Nexus 1000 | | | | | | Virtual Edge for | | | | | | VMware vSphere. | | | | +---------+-------------------+--------------+---------+------------------+ | 1.0 | Initial public | - | Interim | 2020-February-05 | | | release. | | | | +---------+-------------------+--------------+---------+------------------+ - -------------------------------------------------------------------------------- Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability Priority: High Advisory ID: cisco-sa-20200205-iosxr-cdp-rce First Published: 2020 February 5 16:00 GMT Last Updated: 2020 October 20 18:23 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvr09190 CVE-2020-3118 CWE-134 CVSS Score: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200205-iosxr-cdp-rce Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they have Cisco Discovery Protocol enabled both globally and on at least one interface and if they are running a vulnerable release of Cisco IOS XR Software (32-bit or 64-bit): ASR 9000 Series Aggregation Services Routers Carrier Routing System (CRS) IOS XRv 9000 Router Network Convergence System (NCS) 540 Series Routers Network Convergence System (NCS) 560 Series Routers Network Convergence System (NCS) 1000 Series Routers Network Convergence System (NCS) 5000 Series Routers Network Convergence System (NCS) 5500 Series Routers Network Convergence System (NCS) 6000 Series Routers This vulnerability also affects third-party white box routers if they have Cisco Discovery Protocol enabled both globally and on at least one interface and if they are running a vulnerable release of Cisco IOS XR Software. Note: Cisco Discovery Protocol is not enabled in Cisco IOS XR Software by default. For information about which Cisco IOS XR Software releases are vulnerable, see the Fixed Software section of this advisory. Determine the Status of Cisco Discovery Protocol Administrators can determine whether Cisco Discovery Protocol is enabled on a device by using the show running-config | include cdp command in the device CLI. If the command returns at least the following lines, Cisco Discovery Protocol is enabled globally and on at least one interface: RP/0/RP0/CPU0:ios##show running-config | include cdp Mon Dec 2 17:00:27.921 UTC Building configuration... cdp cdp . . . Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Network Convergence System (NCS) 520 Series Routers. Cisco has also confirmed that this vulnerability does not affect the following Cisco software: FXOS Software IOS Software IOS XE Software NX-OS Software UCS Software Workarounds o There are no workarounds that address this vulnerability. However, customers who do not use the Cisco Discovery Protocol feature can disable it either globally to fully close the attack vector or on individual interfaces to reduce the attack surface. Disable Cisco Discovery Protocol Globally To disable Cisco Discovery Protocol globally on devices that are running Cisco IOS XR Software, administrators can use the no cdp command in global configuration mode, as shown in the following example: RP/0/RP0/CPU0:ios#conf t Mon Dec 2 17:58:08.556 UTC RP/0/RP0/CPU0:ios(config)#no cdp RP/0/RP0/CPU0:ios(config)#exit Uncommitted changes found, commit them before exiting(yes/no/cancel) [cancel]:yes Disable Cisco Discovery Protocol on an Interface To disable Cisco Discovery Protocol on an interface on devices that are running Cisco IOS XR Software, administrators can use the no cdp command in interface configuration mode, as shown in the following example: RP/0/RP0/CPU0:ios#conf t Mon Dec 2 18:00:08.622 UTC RP/0/RP0/CPU0:ios(config)#interface GigabitEthernet0/0/0/0 RP/0/RP0/CPU0:ios(config-if)#no cdp RP/0/RP0/CPU0:ios(config-if)#end Uncommitted changes found, commit them before exiting(yes/no/cancel) [cancel]:yes Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table, the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. Cisco IOS XR Software Release First Fixed Release for This Vulnerability Earlier than 6.6 Appropriate SMU 6.6 ^1 6.6.3 or appropriate SMU 7.0 7.0.2 (Mar 2020) or appropriate SMU 7.1 Not vulnerable 1. Customers who are running Cisco IOS XR Software Release 6.6 on white box routers are advised to upgrade to Release 6.6.12 and then install the software maintenance upgrade (SMU). Customers who are running Cisco IOS XR Software Release 6.6 on other platforms are advised to upgrade to Release 6.6.3. The following SMUs are also available for Cisco IOS XR Software: Cisco IOS XR Software Release Platform SMU Name 5.2.5 NCS6K ncs6k-5.2.5.CSCvr78185 6.4.2 ASR9K-PX asr9k-px-6.4.2.CSCvr78185 CRS-PX hfr-px-6.4.2.CSCvr78185 ASR9K-PX asr9k-px-6.5.3.CSCvr78185 ASR9K-X64 asr9k-x64-6.5.3.CSCvr78185 6.5.3 NCS540 ncs540-6.5.3.CSCvr78185 NCS5K ncs5k-6.5.3.CSCvr78185 NCS5500 ncs5500-6.5.3.CSCvr78185 XRV9K xrv9k-6.5.3.CSCvr78185 6.6.12 White box iosxrwbd-6.6.12.CSCvr78185 6.6.25 NCS560 ncs560-6.6.25.CSCvr78185 7.0.1 NCS540L ncs540l-7.0.1.CSCvr78185 For details on where to download and how to install SMUs in Cisco IOS XR Software, see the IOS XR Software Maintenance Updates (SMUs) guide. Exploitation and Public Announcements o In October 2020, the Cisco Product Security Incident Response Team (PSIRT) received reports of attempted exploitation of this vulnerability in the wild. Cisco recommends that customers upgrade to a fixed Cisco IOS XR Software release to remediate this vulnerability. Source o Cisco would like to thank Barak Hadad of Armis for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200205-iosxr-cdp-rce Revision History o +---------+------------------------+---------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+------------------------+---------------+--------+-------------+ | | Updated Exploitation | | | | | | and Public | | | | | | Announcements to | Exploitation | | | | | indicate that | and Public | | | | 1.1 | exploitation in the | Announcements | Final | 2020-OCT-20 | | | wild has been | and | | | | | observed. Fixed two | Vulnerable | | | | | typos in Vulnerable | Products | | | | | Products (no change to | | | | | | affected products). | | | | +---------+------------------------+---------------+--------+-------------+ | 1.0 | Initial public | - | Final | 2020-FEB-05 | | | release. | | | | +---------+------------------------+---------------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco IP Phone Remote Code Execution and Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20200205-voip-phones-rce-dos First Published: 2020 February 5 16:00 GMT Last Updated: 2020 February 20 22:04 GMT Version 1.3: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvr96057 CSCvr96058 CSCvr96059 CSCvr96060CSCvr96063 CSCvr96064 CSCvr96065 CSCvr96066CSCvr96067 CSCvr96069 CSCvr96070 CSCvr96071CSCvr96738 CSCvr96739 CVE-2020-3111 CWE-20 CVSS Score: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Cisco Discovery Protocol implementation for the Cisco IP Phone could allow an unauthenticated, adjacent attacker to remotely execute code with root privileges or cause a reload of an affected IP phone. The vulnerability is due to missing checks when processing Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a crafted Cisco Discovery Protocol packet to the targeted IP phone. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200205-voip-phones-rce-dos Affected Products o Vulnerable Products This vulnerability affects the following Cisco IP phones with Cisco Discovery Protocol enabled ^ 1 and running a vulnerable firmware release: IP Conference Phone 7832 IP Conference Phone 7832 with Multiplatform Firmware IP Conference Phone 8832 IP Conference Phone 8832 with Multiplatform Firmware IP Phone 6821, 6841, 6851, 6861, 6871 with Multiplatform Firmware IP Phone 7811, 7821, 7841, 7861 Desktop Phones IP Phone 7811, 7821, 7841, 7861 Desktop Phones with Multiplatform Firmware IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones IP Phone 8811, 8841, 8851, 8861, 8845, 8865 Desktop Phones with Multiplatform Firmware Unified IP Conference Phone 8831 Unified IP Conference Phone 8831 for Third-Party Call Control Wireless IP Phone 8821, 8821-EX ^ 1 Cisco Discovery Protocol is enabled by default on most IP Phone models. For information about which software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: ATA 191 Analog Telephone Adapter ATA 192 Multiplatform Analog Telephone Adapter IP DECT 6825 with Multiplatform Firmware SPA112 2-Port Phone Adapter SPA122 ATA with Router SPA2102 Phone Adapter with Router SPA232D Multi-Line DECT ATA Small Business SPA300 Series IP Phones Small Business SPA500 Series IP Phones SPA3102 Voice Gateway with Router SPA8000 8-port IP Telephony Gateway SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports Unified IP Phone 6901 Unified IP Phone 7942 Unified IP Phone 7945 Unified IP Phone 7962 Unified IP Phone 7965 Unified IP Phone 7975 Unified SIP Phone 3905 Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate fixed firmware release as indicated in the following table: Cisco IP Phone Model Cisco Bug First Fixed Release ID IP Conference Phone 7832 CSCvr96069 12.7(1) IP Conference Phone 7832 with CSCvr96060 11.3(1)SR1 Multiplatform Firmware IP Conference Phone 8832 CSCvr96071 12.7(1) IP Conference Phone 8832 with CSCvr96064 11.3(1)SR1 Multiplatform Firmware IP Phone 6821, 6841, 6851, 6861, 6871 CSCvr96065 with Multiplatform Firmware , 11.3(1)SR1 CSCvr96067 IP Phone 7811, 7821, 7841, 7861 Desktop CSCvr96739 12.7(1) Phones IP Phone 7811, 7821, 7841, 7861 Desktop CSCvr96063 11.3(1)SR1 Phones with Multiplatform Firmware IP Phone 8811, 8841, 8851, 8861, 8845, CSCvr96066 8865 Desktop Phones , 12.7(1) CSCvr96069 IP Phone 8811, 8841, 8851, 8861, 8845, CSCvr96058, 8865 Desktop Phones with Multiplatform CSCvr96059 11.3(1)SR1 Firmware Unified IP Conference Phone 8831 CSCvr96738 10.3(1)SR6 (Targeted for March 2020) Unified IP Conference Phone 8831 for There is no fixed Third-Party Call Control CSCvr96057 firmware available at this time. Wireless IP Phone 8821 and 8821-EX CSCvr96070 11.0(5)SR2 To download the Cisco IP Phone firmware from the Software Center on Cisco.com , do the following: 1. Click Browse all . 2. Choose Collaboration Endpoints > IP Phones . 3. Choose a specific product from the right pane of the product selector. 4. Choose a release from the left pane of the product page. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware of public announcements about this vulnerability. Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Ben Seri, VP of Research at Armis, for finding and reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200205-voip-phones-rce-dos Revision History o +---------+----------------------+------------+--------+------------------+ | Version | Description | Section | Status | Date | +---------+----------------------+------------+--------+------------------+ | | Added the Cisco | | | | | | Unified SIP Phone | Products | | | | 1.3 | 3905 and Cisco | Confirmed | Final | 2020-February-20 | | | Unified IP Phone | Not | | | | | 6901 as confirmed | Vulnerable | | | | | not vulnerable. | | | | +---------+----------------------+------------+--------+------------------+ | | Added the Cisco | | | | | | ATA191 and ATA 192 | | | | | | products as not | Products | | | | 1.2 | vulnerable. Listed | Confirmed | Final | 2020-February-14 | | | the specific models | Not | | | | | of the 7900 phones | Vulnerable | | | | | that are confirmed | | | | | | not vulnerable. | | | | +---------+----------------------+------------+--------+------------------+ | | Added the Cisco | Products | | | | 1.1 | Unified IP Phone | Confirmed | Final | 2020-February-11 | | | 7900 Series as not | Not | | | | | vulnerable. | Vulnerable | | | +---------+----------------------+------------+--------+------------------+ | 1.0 | Initial public | - | Final | 2020-February-05 | | | release. | | | | +---------+----------------------+------------+--------+------------------+ - -------------------------------------------------------------------------------- Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20200205-ipcameras-rce-dos First Published: 2020 February 5 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvr96127 CVE-2020-3110 CWE-20 CVSS Score: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Cisco Discovery Protocol implementation for the Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to execute code remotely or cause a reload of an affected IP Camera. The vulnerability is due to missing checks when processing Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to the targeted IP Camera. A successful exploit could allow the attacker to expose the affected IP Camera for remote code execution or cause it to reload unexpectedly, resulting in a denial of service (DoS) condition. Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200205-ipcameras-rce-dos Affected Products o Vulnerable Products This vulnerability affects Cisco Video Surveillance 8000 Series IP Cameras with the Cisco Discovery Protocol enabled when they are running a firmware version earlier than 1.0.7. For information about which Cisco Video Surveillance 8000 Series IP Camera firmware releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Video Surveillance 3000 Series IP Cameras Video Surveillance 4000 Series High-Definition IP Cameras Video Surveillance 4300E and 4500E High-Definition IP Cameras Video Surveillance 6000 Series IP Cameras Video Surveillance 7000 Series IP Cameras Video Surveillance PTZ IP Cameras Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in Video Surveillance 8000 Series IP Camera Firmware Release 1.0.7 and later. Customers can download Video Surveillance 8000 Series IP Camera Firmware from the Software Center on Cisco.com by doing the following: Click Browse all . Navigate to Connected Safety and Security > Video Surveillance IP Cameras > Video Surveillance 8000 Series IP Cameras . Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Ben Seri, VP of Research at Armis, for finding and reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200205-ipcameras-rce-dos Revision History o +---------+-------------------------+---------+--------+------------------+ | Version | Description | Section | Status | Date | +---------+-------------------------+---------+--------+------------------+ | 1.0 | Initial public release. | - | Final | 2020-February-05 | +---------+-------------------------+---------+--------+------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX4+LCeNLKJtyKPYoAQipGBAAmWXmFvXwf3AzpG1QMfpWq/bkfeo1wrrq q4sUx6cbB4rzyKZHtGelPuAQqDs8tUgsYwp06u7qNQvHZyxpcVnwPVuaDMQb/keO kxL+8Z6aMPj/HAD6kYgnc8Ju+xbri/xPnWUF8xBYmJ5rujth8Q83Pi5b4BBoh964 eze6dSPMwrzUn0E578xQSUn/+YNtpqI6zV9pp8zvBnXnKBX9dwIynfue+JDrJMnu R2IDr/FAuDnjg5pdScnxV3ZwlPu6dLjn/a4iLBfiQuLdKfMy5C1/V8JMnlWqlevH gDoXc6JX/Oex/j/VZTlbfUkbHKMXvrqwV66lB3+Bu0zviVW/PgmmGpPwLVYXHc9J 1yztbtB57IXno7zpmiG7D0JKcD3FBwBJ/w/ZQy9NYbe1Lqn9AMIQJZZrGf+/Zt/b kxuPA4uLK5d1HIVFm3SbZ6Kw5b0QFM2rl/BGhbgv02pjGLv3wCQmJnlgBhgzc+12 t10ntQSaU1Mni8LRwVvt6c6no7Nh5/6Y1jdsPQLM5YDDZUobQBwOad6eqGaXD7oX Lt8qoQn74MmtVacJrufOGE/AGnUivgCn4LmrVLahfcMISpbhVHw7V24vXgOHQOPZ 1Qk+Q7mvuUo3sshY6lY20Zm/TsIUskUZielpLHLYsxB42IBEQcpDMYcJg6R7CYOB 10SOyu7LC68= =D+69 -----END PGP SIGNATURE-----