ID

VAR-202002-0712


CVE

CVE-2020-3118


TITLE

Cisco Discovery Protocol (CDP) enabled devices are vulnerable to denial-of-service and remote code execution

Trust: 0.8

sources: CERT/CC: VU#261385

DESCRIPTION

A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Armis Security found that CDP supported devices are vulnerable to heap overflow in Cisco IP Cameras (CVE-2020-3110), stack overflow in Cisco VoIP devices (CVE-2020-3111), a format string stack overflow vulnerability (CVE-2020-3118), stack overflow and arbitrary write (CVE-2020-3119), and a resource exhaustion denial-of-service vulnerability (CVE-2020-3120) in Cisco NX-OS switches and Cisco IOS XR Routers, among others. CVE-2020-3110Cisco's Video Surveillance 8000 Series IP cameras with CDP enabled are vulnerable to a heap overflow in the parsing of DeviceID type-length-value (TLV). The CVSS score reflected below is in regards to this vulnerability. CVE-2020-3111Cisco Voice over Internet Protocol (VoIP) phones with CDP enabled are vulnerable to a stack overflow in the parsing of PortID type-length-value (TLV).CVE-2020-3118Cisco's CDP subsystem of devices running, or based on, Cisco IOS XR Software are vulnerable to improper validation of string input from certain fields within a CDP message that could lead to a stack overflow.CVE-2020-3119Cisco's CDP subsystem of devices running, or based on, Cisco NX-OS Software is vulnerable to a stack buffer overflow and arbitrary write in the parsing of Power over Ethernet (PoE) type-length-value (TLV).CVE-2020-3120Cisco's CDP subsystem of devices running, or based on, Cisco NX-OS, IOS XR, and FXOS Software are vulnerable to a resource exhaustion denial-of-service condition. It is important to note that for all affected devices, CDP is enabled by default. A complete list of the affected products can be found in the following Cisco advisories:CVE-2020-3110 affected products can be found here.CVE-2020-3111 affected products can be found here.CVE-2020-3118 affected products can be found here.CVE-2020-3119 affected products can be found here.CVE-2020-3120 affected products can be found here. Cisco IOS XR The software contains a vulnerability in format strings.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Cisco IOS XR is an operating system developed by Cisco for its network equipment

Trust: 2.52

sources: NVD: CVE-2020-3118 // CERT/CC: VU#261385 // JVNDB: JVNDB-2020-001755 // VULHUB: VHN-181243 // VULMON: CVE-2020-3118

AFFECTED PRODUCTS

vendor:ciscomodel:ios xrscope:eqversion:6.6.25

Trust: 1.0

vendor:ciscomodel:ios xrscope:ltversion:7.0.2

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:6.4.2

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:7.0.1

Trust: 1.0

vendor:ciscomodel:ios xrscope:gteversion:7.0.0

Trust: 1.0

vendor:ciscomodel:ios xrscope:ltversion:6.6.12

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:5.2.5

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:6.5.3

Trust: 1.0

vendor:ciscomodel:ios xrscope:gteversion:6.6.0

Trust: 1.0

vendor:ciscomodel:ios xrscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-001755 // NVD: CVE-2020-3118

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3118
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3118
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-001755
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202002-131
value: HIGH

Trust: 0.6

VULHUB: VHN-181243
value: HIGH

Trust: 0.1

VULMON: CVE-2020-3118
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-3118
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-001755
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181243
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3118
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3118
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-001755
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181243 // VULMON: CVE-2020-3118 // JVNDB: JVNDB-2020-001755 // CNNVD: CNNVD-202002-131 // NVD: CVE-2020-3118 // NVD: CVE-2020-3118

PROBLEMTYPE DATA

problemtype:CWE-134

Trust: 1.8

problemtype:CWE-787

Trust: 1.1

sources: VULHUB: VHN-181243 // JVNDB: JVNDB-2020-001755 // NVD: CVE-2020-3118

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202002-131

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202002-131

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-001755

PATCH

title:cisco-sa-20200205-iosxr-cdp-rceurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce

Trust: 0.8

title:Cisco IOS XR Fixes for formatting string error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108697

Trust: 0.6

title:Cisco: Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20200205-iosxr-cdp-rce

Trust: 0.1

title: - url:https://github.com/Live-Hack-CVE/CVE-2020-3118

Trust: 0.1

title: - url:https://github.com/santosomar/kev_checker

Trust: 0.1

title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-high-severity-pre-auth-flaws-in-vpn-routers/

Trust: 0.1

title:Threatposturl:https://threatpost.com/unpatched-iot-ot-devices-threaten-critical-infrastructure/162275/

Trust: 0.1

title:Threatposturl:https://threatpost.com/high-severity-cisco-dos-flaw-asr-routers/161115/

Trust: 0.1

title:Threatposturl:https://threatpost.com/cisco-dos-flaws-network-security-software/160414/

Trust: 0.1

title:Threatposturl:https://threatpost.com/critical-cisco-cdpwn-flaws-network-segmentation/152546/

Trust: 0.1

title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/cisco-warns-of-attacks-targeting-high-severity-router-vulnerability/

Trust: 0.1

sources: VULMON: CVE-2020-3118 // JVNDB: JVNDB-2020-001755 // CNNVD: CNNVD-202002-131

EXTERNAL IDS

db:NVDid:CVE-2020-3118

Trust: 2.7

db:PACKETSTORMid:156203

Trust: 1.9

db:CERT/CCid:VU#261385

Trust: 0.9

db:JVNDBid:JVNDB-2020-001755

Trust: 0.8

db:CNNVDid:CNNVD-202002-131

Trust: 0.7

db:NSFOCUSid:45786

Trust: 0.6

db:AUSCERTid:ESB-2020.0424.9

Trust: 0.6

db:AUSCERTid:ESB-2020.0424.6

Trust: 0.6

db:AUSCERTid:ESB-2020.0424.5

Trust: 0.6

db:AUSCERTid:ESB-2020.0424.7

Trust: 0.6

db:AUSCERTid:ESB-2020.0424.3

Trust: 0.6

db:CNVDid:CNVD-2020-16656

Trust: 0.1

db:VULHUBid:VHN-181243

Trust: 0.1

db:VULMONid:CVE-2020-3118

Trust: 0.1

sources: CERT/CC: VU#261385 // VULHUB: VHN-181243 // VULMON: CVE-2020-3118 // JVNDB: JVNDB-2020-001755 // PACKETSTORM: 156203 // CNNVD: CNNVD-202002-131 // NVD: CVE-2020-3118

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200205-iosxr-cdp-rce

Trust: 2.6

url:http://packetstormsecurity.com/files/156203/cisco-discovery-protocol-cdp-remote-device-takeover.html

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-3118

Trust: 1.5

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200205-nxos-cdp-rce

Trust: 1.4

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos

Trust: 1.4

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200205-voip-phones-rce-dos

Trust: 1.4

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200205-ipcameras-rce-dos

Trust: 1.4

url:https://www.cisco.com/en/us/technologies/tk652/tk701/technologies_white_paper0900aecd804cd46d.html

Trust: 0.8

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3118

Trust: 0.8

url:http://www.nsfocus.net/vulndb/45786

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-ios-xr-memory-corruption-via-cisco-discovery-protocol-format-string-31524

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0424.9/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0424.7/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0424.6/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0424.5/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0424.3/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/787.html

Trust: 0.1

url:https://github.com/live-hack-cve/cve-2020-3118

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://threatpost.com/unpatched-iot-ot-devices-threaten-critical-infrastructure/162275/

Trust: 0.1

url:https://www.kb.cert.org/vuls/id/261385

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-3110

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-3111

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-3120

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-3119

Trust: 0.1

sources: CERT/CC: VU#261385 // VULHUB: VHN-181243 // VULMON: CVE-2020-3118 // JVNDB: JVNDB-2020-001755 // PACKETSTORM: 156203 // CNNVD: CNNVD-202002-131 // NVD: CVE-2020-3118

CREDITS

Thanks to Ben Seri of Armis Security for reporting this vulnerability.This document was written by Madison Oliver.

Trust: 0.8

sources: CERT/CC: VU#261385

SOURCES

db:CERT/CCid:VU#261385
db:VULHUBid:VHN-181243
db:VULMONid:CVE-2020-3118
db:JVNDBid:JVNDB-2020-001755
db:PACKETSTORMid:156203
db:CNNVDid:CNNVD-202002-131
db:NVDid:CVE-2020-3118

LAST UPDATE DATE

2024-08-14T13:24:57.754000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#261385date:2020-07-08T00:00:00
db:VULHUBid:VHN-181243date:2022-12-23T00:00:00
db:VULMONid:CVE-2020-3118date:2022-12-23T00:00:00
db:JVNDBid:JVNDB-2020-001755date:2020-02-26T00:00:00
db:CNNVDid:CNNVD-202002-131date:2022-09-21T00:00:00
db:NVDid:CVE-2020-3118date:2022-12-23T16:59:18.010

SOURCES RELEASE DATE

db:CERT/CCid:VU#261385date:2020-02-05T00:00:00
db:VULHUBid:VHN-181243date:2020-02-05T00:00:00
db:VULMONid:CVE-2020-3118date:2020-02-05T00:00:00
db:JVNDBid:JVNDB-2020-001755date:2020-02-26T00:00:00
db:PACKETSTORMid:156203date:2020-02-05T17:05:56
db:CNNVDid:CNNVD-202002-131date:2020-02-05T00:00:00
db:NVDid:CVE-2020-3118date:2020-02-05T18:15:10.907