Sign-up

ID

VAR-202002-0712


CVE

CVE-2020-3118


TITLE

Cisco Discovery Protocol (CDP) enabled devices are vulnerable to denial-of-service and remote code execution

Trust: 0.8

sources: CERT/CC: VU#261385

DESCRIPTION

A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Armis Security found that CDP supported devices are vulnerable to heap overflow in Cisco IP Cameras (CVE-2020-3110), stack overflow in Cisco VoIP devices (CVE-2020-3111), a format string stack overflow vulnerability (CVE-2020-3118), stack overflow and arbitrary write (CVE-2020-3119), and a resource exhaustion denial-of-service vulnerability (CVE-2020-3120) in Cisco NX-OS switches and Cisco IOS XR Routers, among others. CVE-2020-3110Cisco's Video Surveillance 8000 Series IP cameras with CDP enabled are vulnerable to a heap overflow in the parsing of DeviceID type-length-value (TLV). The CVSS score reflected below is in regards to this vulnerability. CVE-2020-3111Cisco Voice over Internet Protocol (VoIP) phones with CDP enabled are vulnerable to a stack overflow in the parsing of PortID type-length-value (TLV).CVE-2020-3118Cisco's CDP subsystem of devices running, or based on, Cisco IOS XR Software are vulnerable to improper validation of string input from certain fields within a CDP message that could lead to a stack overflow.CVE-2020-3119Cisco's CDP subsystem of devices running, or based on, Cisco NX-OS Software is vulnerable to a stack buffer overflow and arbitrary write in the parsing of Power over Ethernet (PoE) type-length-value (TLV).CVE-2020-3120Cisco's CDP subsystem of devices running, or based on, Cisco NX-OS, IOS XR, and FXOS Software are vulnerable to a resource exhaustion denial-of-service condition. It is important to note that for all affected devices, CDP is enabled by default. A complete list of the affected products can be found in the following Cisco advisories:CVE-2020-3110 affected products can be found here.CVE-2020-3111 affected products can be found here.CVE-2020-3118 affected products can be found here.CVE-2020-3119 affected products can be found here.CVE-2020-3120 affected products can be found here. Cisco IOS XR The software contains a vulnerability in format strings.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Cisco IOS XR is an operating system developed by Cisco for its network equipment

Trust: 2.52

sources: NVD: CVE-2020-3118 // CERT/CC: VU#261385 // JVNDB: JVNDB-2020-001755 // VULHUB: VHN-181243 // VULMON: CVE-2020-3118

AFFECTED PRODUCTS

vendor:ciscomodel:ios xrscope:eqversion:6.6.25

Trust: 1.0

vendor:ciscomodel:ios xrscope:ltversion:7.0.2

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:6.4.2

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:7.0.1

Trust: 1.0

vendor:ciscomodel:ios xrscope:gteversion:7.0.0

Trust: 1.0

vendor:ciscomodel:ios xrscope:ltversion:6.6.12

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:5.2.5

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:6.5.3

Trust: 1.0

vendor:ciscomodel:ios xrscope:gteversion:6.6.0

Trust: 1.0

vendor:ciscomodel:ios xrscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-001755 // NVD: CVE-2020-3118

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3118
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3118
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-001755
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202002-131
value: HIGH

Trust: 0.6

VULHUB: VHN-181243
value: HIGH

Trust: 0.1

VULMON: CVE-2020-3118
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-3118
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-001755
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181243
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3118
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3118
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-001755
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181243 // VULMON: CVE-2020-3118 // JVNDB: JVNDB-2020-001755 // CNNVD: CNNVD-202002-131 // NVD: CVE-2020-3118 // NVD: CVE-2020-3118

PROBLEMTYPE DATA

problemtype:CWE-134

Trust: 1.8

problemtype:CWE-787

Trust: 1.1

sources: VULHUB: VHN-181243 // JVNDB: JVNDB-2020-001755 // NVD: CVE-2020-3118

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202002-131

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202002-131

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-001755

PATCH
title:cisco-sa-20200205-iosxr-cdp-rceurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce
Trust: 0.8
title:Cisco IOS XR Fixes for formatting string error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108697
Trust: 0.6
title:Cisco: Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20200205-iosxr-cdp-rce
Trust: 0.1
title: - url:https://github.com/Live-Hack-CVE/CVE-2020-3118 
Trust: 0.1
title: - url:https://github.com/santosomar/kev_checker 
Trust: 0.1
title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-high-severity-pre-auth-flaws-in-vpn-routers/
Trust: 0.1
title:Threatposturl:https://threatpost.com/unpatched-iot-ot-devices-threaten-critical-infrastructure/162275/
Trust: 0.1
title:Threatposturl:https://threatpost.com/high-severity-cisco-dos-flaw-asr-routers/161115/
Trust: 0.1
title:Threatposturl:https://threatpost.com/cisco-dos-flaws-network-security-software/160414/
Trust: 0.1
title:Threatposturl:https://threatpost.com/critical-cisco-cdpwn-flaws-network-segmentation/152546/
Trust: 0.1
title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/cisco-warns-of-attacks-targeting-high-severity-router-vulnerability/
Trust: 0.1
sources:
            
            
            VULMON: CVE-2020-3118 // 
            
            
            
            JVNDB: JVNDB-2020-001755 // 
            
            
            
            CNNVD: CNNVD-202002-131

EXTERNAL IDS
db:NVDid:CVE-2020-3118
Trust: 2.7
db:PACKETSTORMid:156203
Trust: 1.9
db:CERT/CCid:VU#261385
Trust: 0.9
db:JVNDBid:JVNDB-2020-001755
Trust: 0.8
db:CNNVDid:CNNVD-202002-131
Trust: 0.7
db:NSFOCUSid:45786
Trust: 0.6
db:AUSCERTid:ESB-2020.0424.9
Trust: 0.6
db:AUSCERTid:ESB-2020.0424.6
Trust: 0.6
db:AUSCERTid:ESB-2020.0424.5
Trust: 0.6
db:AUSCERTid:ESB-2020.0424.7
Trust: 0.6
db:AUSCERTid:ESB-2020.0424.3
Trust: 0.6
db:CNVDid:CNVD-2020-16656
Trust: 0.1
db:VULHUBid:VHN-181243
Trust: 0.1
db:VULMONid:CVE-2020-3118
Trust: 0.1
sources:
            
            
            CERT/CC: VU#261385 // 
            
            
            
            VULHUB: VHN-181243 // 
            
            
            
            VULMON: CVE-2020-3118 // 
            
            
            
            JVNDB: JVNDB-2020-001755 // 
            
            
            
            PACKETSTORM: 156203 // 
            
            
            
            CNNVD: CNNVD-202002-131 // 
            
            
            
            NVD: CVE-2020-3118

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200205-iosxr-cdp-rce
Trust: 2.6
url:http://packetstormsecurity.com/files/156203/cisco-discovery-protocol-cdp-remote-device-takeover.html
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-3118
Trust: 1.5
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200205-nxos-cdp-rce
Trust: 1.4
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos
Trust: 1.4
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200205-voip-phones-rce-dos
Trust: 1.4
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200205-ipcameras-rce-dos
Trust: 1.4
url:https://www.cisco.com/en/us/technologies/tk652/tk701/technologies_white_paper0900aecd804cd46d.html
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3118
Trust: 0.8
url:http://www.nsfocus.net/vulndb/45786
Trust: 0.6
url:https://vigilance.fr/vulnerability/cisco-ios-xr-memory-corruption-via-cisco-discovery-protocol-format-string-31524
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.0424.9/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.0424.7/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.0424.6/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.0424.5/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.0424.3/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/787.html
Trust: 0.1
url:https://github.com/live-hack-cve/cve-2020-3118
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://threatpost.com/unpatched-iot-ot-devices-threaten-critical-infrastructure/162275/
Trust: 0.1
url:https://www.kb.cert.org/vuls/id/261385
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3110
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3111
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3120
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-3119
Trust: 0.1
sources:
            
            
            CERT/CC: VU#261385 // 
            
            
            
            VULHUB: VHN-181243 // 
            
            
            
            VULMON: CVE-2020-3118 // 
            
            
            
            JVNDB: JVNDB-2020-001755 // 
            
            
            
            PACKETSTORM: 156203 // 
            
            
            
            CNNVD: CNNVD-202002-131 // 
            
            
            
            NVD: CVE-2020-3118

CREDITS
Thanks to Ben Seri of Armis Security for reporting this vulnerability.This document was written by Madison Oliver. 
Trust: 0.8
sources:
            
            
            CERT/CC: VU#261385

SOURCES
db:CERT/CCid:VU#261385
db:VULHUBid:VHN-181243
db:VULMONid:CVE-2020-3118
db:JVNDBid:JVNDB-2020-001755
db:PACKETSTORMid:156203
db:CNNVDid:CNNVD-202002-131
db:NVDid:CVE-2020-3118

LAST UPDATE DATE
2024-08-14T13:24:57.754000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#261385date:2020-07-08T00:00:00
db:VULHUBid:VHN-181243date:2022-12-23T00:00:00
db:VULMONid:CVE-2020-3118date:2022-12-23T00:00:00
db:JVNDBid:JVNDB-2020-001755date:2020-02-26T00:00:00
db:CNNVDid:CNNVD-202002-131date:2022-09-21T00:00:00
db:NVDid:CVE-2020-3118date:2022-12-23T16:59:18.010

SOURCES RELEASE DATE
db:CERT/CCid:VU#261385date:2020-02-05T00:00:00
db:VULHUBid:VHN-181243date:2020-02-05T00:00:00
db:VULMONid:CVE-2020-3118date:2020-02-05T00:00:00
db:JVNDBid:JVNDB-2020-001755date:2020-02-26T00:00:00
db:PACKETSTORMid:156203date:2020-02-05T17:05:56
db:CNNVDid:CNNVD-202002-131date:2020-02-05T00:00:00
db:NVDid:CVE-2020-3118date:2020-02-05T18:15:10.907