Advisory firms and broker/dealers that run equipment from Cisco Systems need to be aware of several recently announced vulnerabilities in the company’s lines of enterprise networking products that include network switches, desk phones and web cameras.
As reported by Wired magazine, and posted at the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University, the flaws put millions of workplace devices at risk. These software flaws were first reported to Cisco by enterprise security firm Armis in August and both firms have worked toward fixes and patches since.
If you have not already heard from them, you should get in touch with your security consultant or service immediately as most of these vulnerabilities will require manual patching and cannot be fixed with an automated download.
Specifically, the software flaws have been found in the Cisco Discovery Protocol (CDP), which could allow remote attackers to completely take over devices without any user interaction. CDP’s intended function is to detect and monitor Cisco devices by a company’s network administrator—and not all admins use it.
“My first reaction [to news of the vulnerabilities] is that I always turned off CDP,” said Matt Sarrel, CISSP, a security industry analyst and security practitioner. He explained that this was nothing against Cisco but rather his preferred method of network management.
Sarrel, who is executive director of Sarrel Group, his own security testing and evaluation consultancy based in San Francisco, said customers who are really at risk are those that are relying on CDP management to secure, rather than manage, their networks.
"If at any point you learn that your network was configured to rely solely on network segmentation via CDP for security, then you need to fire your consultant immediately because this demonstrates a fundamental shortfall in his knowledge," he said.
Ideally, according to Sarrel, no one is exposing [network] management interfaces to the Internet, meaning an attacker would have to be inside the network to take advantage of the discovered vulnerabilities.
Even so, it is better to be safe than sorry and make sure your in-house security personnel or external security consultant or service—whoever your firm relies on for network and cybersecurity—is aware of the vulnerabilities and reviewing your systems if you use Cisco equipment.
“These are some pretty serious security flaws that, if compromised, could result in an attacker traversing a network at will with malicious intent,” Sarrel said.
He noted that CDP attack toolkits are already out and available for those with malicious intent.
“Cisco equipment is everywhere, so it's a pretty ripe target,” he said, urging those with equipment to not leave this unaddressed.
Sarrel recommended the following course of action to both specifically address any Cisco vulnerabilities and for better overall network protection:
- Address this vulnerability with a network vulnerability assessment (checking whether you are even running or routing CDP) and manually apply patches.
- Follow network security best practices of defense-in-depth, where multiple layers of security controls combine to keep you safe.
- Isolate network management traffic and protocols from your active data network.
- Regularly audit network security configurations and perform vulnerability assessments.
- Regularly patch all networked devices. Every unpatched network device can become a launch point for an attack.
- Verify that business partners have patched their Cisco devices so they can't be used to attack your network.
See the Armis and CERT links above for lists of potentially affected Cisco equipment.