5 new vulnerabilities expose the ‘backbone’ of an enterprise network to data theft

The flaws in a Cisco protocol show the challenge of keeping one insecure device from being a gateway to another for a hacker.
(Getty Images)

A protocol that underpins widely used equipment made by telecommunications giant Cisco is vulnerable to multiple data-stealing attacks, researchers warned Wednesday.

The five previously unreported vulnerabilities in implementations of the Cisco protocol — found by Armis Security, a California-based company — show the enduring challenge of keeping one insecure device from being a gateway to another for a hacker.

The zero-day bugs affect the many voice-over-IP phones, routers, and switches at corporations around the world that use the protocol for communications. A hacker with enough skill and motivation to exploit the vulnerabilities could gain access to a company’s network and then, for example, take over the VOIP phones on the network to steal data or eavesdrop on calls.

The routers and switches that are susceptible to the vulnerabilities form “the backbone of [an enterprise] network,” said Ben Seri, Armis’s vice president of research, who wrote a proof-of-concept for an attack on an VOIP phone.


For an attacker, “a switch is a very strong position to be inside the network [because] all the network traffic traverses through” it, Seri added, explaining why he began investigating the issue months ago.

The vulnerabilities, four of which could allow a hacker to deploy their code remotely, are in the Cisco Discovery Protocol (CDP), a popular protocol that allows Cisco devices on the same network to talk to each other. The CDP is a means of separating virtual local area networks within an enterprise. By breaking the protocol, and using a switch as a foothold to other parts of the network, an attacker could gain access to an array of enterprise devices.

“The devices themselves that are there to make sure segmentation works are also embedded devices that might be vulnerable to attacks,” Seri told CyberScoop.

Patches available

Cisco has issued security fixes for all five vulnerabilities and encouraged users to apply them. Neither Cisco nor Armis are aware of any exploitation of the bugs by malicious hackers.


A Cisco spokesperson thanked the Armis researchers for finding the vulnerabilities and advised users to disable the CDP “on all interfaces that are connected to untrusted networks.”

“An attacker must be in the same broadcast domain or subnet as the affected device in order to exploit the vulnerabilities,” the spokesman said.

Seri is the only the latest researcher to probe the CDP. On Saturday, security consultant Ken Pyle revealed multiple vulnerabilities in Cisco networking switches, at least one of which related to the protocol.

Seri said he plans to examine several other protocols that, like CDP, govern the transfer of data between devices on virtual local area networks.

“In a way, it’s the tip of the iceberg,” Seri said of the research released Wednesday.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts