Format string error in Cisco Discovery Protocol for Cisco IOS XR
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-3118 |
| CWE-ID | CWE-134 |
| Exploitation vector | Local network |
| Public exploit | Vulnerability #1 is being exploited in the wild. |
| Vulnerable software |
Cisco ASR 9000 Series Aggregation Services Routers Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco IOS XRv 9000 Router Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco Network Convergence System 5000 Series Hardware solutions / Routers & switches, VoIP, GSM, etc Network Convergence System 5500 Series Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco Network Convergence System 540 Series Routers Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco Network Convergence System 560 Series Routers Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco Network Convergence System 6000 Series Routers Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco Carrier Routing System Hardware solutions / Firmware Cisco Network Convergence System 1000 Series Hardware solutions / Firmware |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Format string error
EUVDB-ID: #VU25028
Risk: Low
CVSSv4.0: 8.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear]
CVE-ID: CVE-2020-3118
CWE-ID:
CWE-134 - Use of Externally-Controlled Format String
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper validation of string input from certain fields in the Cisco Discovery Protocol implementation for Cisco IOS XR Software. A remote attacker on the local network can supply a specially crafted input that contains format string specifiers, cause a stack overflow and execute arbitrary code with administrative privileges on an affected device.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
| Cisco IOS XR Software Release | First Fixed Release for This Vulnerability |
|---|---|
| Earlier than 6.6 | Appropriate SMU |
| 6.61 | 6.6.3 or appropriate SMU |
| 7.0 | 7.0.2 (Mar 2020) or appropriate SMU |
| 7.1 | Not vulnerable |
| Cisco IOS XR Software Release | Platform | SMU Name |
|---|---|---|
| 5.2.5 | NCS6K | ncs6k-5.2.5.CSCvr78185 |
| 6.4.2 | ASR9K-PX | asr9k-px-6.4.2.CSCvr78185 |
| CRS-PX | hfr-px-6.4.2.CSCvr78185 | |
| 6.5.3 | ASR9K-PX | asr9k-px-6.5.3.CSCvr78185 |
| ASR9K-X64 | asr9k-x64-6.5.3.CSCvr78185 | |
| NCS540 | ncs540-6.5.3.CSCvr78185 | |
| NCS5K | ncs5k-6.5.3.CSCvr78185 | |
| NCS5500 | ncs5500-6.5.3.CSCvr78185 | |
| XRV9K | xrv9k-6.5.3.CSCvr78185 | |
| 6.6.12 | White box | iosxrwbd-6.6.12.CSCvr78185 |
| 6.6.25 | NCS560 | ncs560-6.6.25.CSCvr78185 |
| 7.0.1 | NCS540L | ncs540l-7.0.1.CSCvr78185 |
Cisco ASR 9000 Series Aggregation Services Routers: - - 7.0
Cisco Carrier Routing System: - - 7.0
Cisco IOS XRv 9000 Router: - - 7.0
Cisco Network Convergence System 5000 Series: - - 7.0
Network Convergence System 5500 Series: - - 7.0
Cisco Network Convergence System 1000 Series: - - 6.6
Cisco Network Convergence System 540 Series Routers: - - 7.0
Cisco Network Convergence System 560 Series Routers: - - 7.0
Cisco Network Convergence System 6000 Series Routers: - - 7.0
CPE2.3- cpe:2.3:h:cisco_systems:cisco_asr_9000_series_aggregation_services_routers:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_asr_9000_series_aggregation_services_routers:6.6:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_asr_9000_series_aggregation_services_routers:7.0:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_carrier_routing_system:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_carrier_routing_system:6.6:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_carrier_routing_system:7.0:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_ios_xrv_9000_router:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_ios_xrv_9000_router:6.6:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_ios_xrv_9000_router:7.0:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_network_convergence_system_5000_series:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:network_convergence_system_5500_series:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_network_convergence_system_1000_series:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_network_convergence_system_540_series_routers:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_network_convergence_system_560_series_routers:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_network_convergence_system_6000_series_routers:*:*:*:*:*:*:*:*
https://packetstormsecurity.com/files/156203/Cisco-Discovery-Protocol-CDP-Remote-Device-Takeover.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
