No CDP run!
You do have a fully documented Network don't you?
I know, a little flippant..
Enterprise networking giant Cisco is expected to release a set of software fixes on Wednesday to address five critical vulnerabilities in devices that rely on the Cisco Discovery Protocol, known to its friends as CDP. CDP is a proprietary Layer 2 data link protocol for gathering information about networked devices. It's …
It’s all in someone’s head.
Bob knows how to get from this segment to that via the outside interface of that internal asa done because some idiot promised it could be done despite the environment being engineered for traffic to flow the other way. Not documented because it’s a bodge that shouldn’t be repeated but is currently passing critical production traffic.
This is really Cisco showing its age. Back in the beforetimes it was easy to craft a DiY protocol for some "it seemed like a good idea at the time" purpose. (Exhibit 'A' for me would be the L2 packets Intel used to power on dormant computers -- its one of those 1990s ideas that seem really useful until it wasn't the 1990s any more.) I think people learned not to do that because it became a bit of maintenance millstone.
The actual problem sees quite prosaic -- if you can access a device on the physical network that you can control then you can craft arbitrary packets to imitate any protocol. That's hardly earth-shattering news. You'd target smaller embedded devices because they often have well known security SNAFUs you can exploit and once in its easy to program the hardware to do anything you want.
Interesting that IOS & IOS-XE aren't vulnerable according to the CVE which means it's not the actually the protocol but the software implementation of it on other platforms. NX-OS, IOS XR & FC-OS are all Linux based. Where IOS is BSD based and IOS-XE is Linux based running IOS as a process called "IOSd".
If you read the advisories, it turns out it is different TLV fields in different products. So not a protocol issue, just one parsing long messages, and probably missed size checks when copying fields across into structures. Likely to be different code bases for each product which is why these are all different.
CVE-2020-3110 heap overflow in the parsing of DeviceID type-length-value (TLV)
CVE-2020-3111 stack overflow in the parsing of PortID type-length-value (TLV)
CVE-2020-3118 improper validation of string input from certain fields within a CDP message that could lead to a stack overflow
CVE-2020-3119 stack buffer overflow and arbitrary write in the parsing of Power over Ethernet (PoE) type-length-value
CVE-2020-3120 resource exhaustion DoS
Biting the hand that feeds IT © 1998–2021