What are CDP (Cisco Discovery Protocol) Attacks?

Cisco Discovery Protocol (CDP) is a layer 2 protocol developed by Keith McCloghrie and Dino Farinacci in 1994. CDP is used to collect information about other directly connected Cisco equipment, such as the operating system version and IP address, and share that information. In this article, we will learn about the CDP, how it works, CDP spoofing, and possible attacks and prevention from the attacks.

What is CDP?

CDP is a Layer 2 protocol used by Cisco devices, it is used for discovering other directly connected Cisco devices in a network. This allows devices to auto-configure their connections hence it simplifies connectivity and configuration. Generally, CDP is enabled on most Cisco devices. As routers don’t circulate it, the CDP data is transmitted through periodic broadcasts that are maintained locally in the Cisco device CDP table.

CDP database is comprised of a lot of data about the device such as capabilities, IP address, native VLAN, software version, platform version, etc. When all this information gets into the hands of a malicious user through a compromised system, they can use this information to find exploits for attacking the network. Generally carried out as a DoS attack.  A malicious user can also make counterfeit CDP packets and forward them to other devices as CDP is not authenticated.

How CDP Works?

Cisco Discovery Protocol (CDP) is a protocol that allows network management applications to learn about nearby Cisco devices. It works by sending periodic messages to a multicast address from each CDP-configured device.

• Usage of CDP: CDP is used to discover Cisco devices that are neighbors of other known devices. It can also be used for On-Demand Routing, which includes routing information in CDP announcements.
• How CDP runs: CDP runs on all Cisco routers, bridges, access servers, and switches. It runs over Layer 2 (data link layer) and on all LAN and WAN media that support Subnetwork Access Protocol (SNAP).
• How CDP is enabled: CDP is enabled by default on Cisco devices. It's not possible to disable CDP globally and enable it on an interface.
• How CDP is vulnerable: CDP is vulnerable to attacks because it doesn't have inherent security mechanisms.

CDP Spoofing

Cisco Discovery Protocol (CDP) spoofing is a type of Denial-of-Service (DoS) attack that involves sending forged CDP packets to make it appear as if other Cisco devices are connected to a network:

Working of CDP Spoofing

An attacker sends thousands of spoofed CDP packets to the multicast MAC address 01:00:0C:CC:CC:CC. The device receiving the packets adds the information to its CDP table, which can cause the device to crash if it can't handle the attack.

Consequences

The device's command line interface may become unresponsive, making it difficult to disable CDP. Other traffic on the network may be dropped because the device doesn't have the resources to route it.

Possible Attacks

• Telnet Attacks: Telnet is an insecure protocol that can be used by a malicious user for remote access to a network device. And, then they can launch a brute force attack against the virtual terminal on the switch to crack passwords.

• Brute force password attacks: For this kind of attack the malicious user uses a list of common passwords along with a program that can establish a telnet session by using each word on the dictionary list. If the password is not cracked by the dictionary list attack then in the next step of brute force attack, the malicious user might use a combination attack in order to crack the password.

• Telnet DoS attack: Telnet can be used for DoS attacks, in this, the malicious user can exploit a bug in the telnet server software running on the switch that can render the telnet service inaccessible. This can be used along with various other direct attacks to prevent admins from remotely accessing the vital devices and switch management during an attack.

• CVE-2020-3110 or the RCE and DoS vulnerability in cisco video surveillance 8000 series IP cameras CDP: A malicious user can exploit this vulnerability by forwarding forged CDP packets to the affected IP cameras, this vulnerability allows an unauthenticated user to execute code remotely, it can also allow them to reload an affected camera unexpectedly resulting in a DoS condition.

• CVE-2020-3111 or the RCE and DoS vulnerability of Cisco IP Phones: This could allow a malicious unauthorized user to carry out an RCE attack with root privileges and it can also allow them to reload any affected IP phone resulting in DoS like condition.

• CVE-2020-3118 or the format string vulnerability of Cisco IOS XR software CDP: This vulnerability in the CDP execution for Cisco IOS XR software could let an unauthorized malicious user execute arbitrary code and it can also cause a reload on the affected device resulting in a stack overflow.

Preventions Against CDP Attacks

The following points can be considered for preventing CDP attacks.

• The user can disable the CDP on devices or ports where it is not needed by using the "no cdp run" command.
• To prevent brute force password attacks the user should change their password frequently to a strong password.
• ACL (Access Control List) can be used to limit access to the virtual terminal lines.
• The user should disable the CDP on the routers that are connected to the external networks.

Detection

Changes in CDP can be monitored with the help of a CDP monitor, this CDP program helps in discovering CDP changes on the network, it can inform the user by prompting a message box and can also send warning emails. As it is possible to send custom CDP packets from the CDP monitor thus, it can also be helpful in CDP spoofing attacks.    

Conclusion

CDP is a tool, which is used by network administrators and engineers to identifying neighboring Cisco devices in a network. CDP is vulnerable to attacks because it doesn't have inherent security mechanisms. And because of this a lot of data about the device such as capabilities, IP address, software version, platform version, etc gets compromised, which is used by the malicious user in performing attack. It can be control by using the CDP monitor, this CDP program detect the CDP changes on the network.