CVE-2020-3120:

Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability

Score
A numerical rating that indicates how dangerous this vulnerability is.

6.5Medium

Published Date:Feb 5, 2020
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.3
EPSS Percentile:55%

Exploitability

Score:2.8
Attack Vector:ADJACENT_NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:3.6
Confidentiality Impact:NONE
Integrity Impact:NONE
Availability Impact:HIGH

Description Preview

Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability

Overview

CVE-2020-3120 is an integer overflow vulnerability (CWE-190) affecting Cisco's Discovery Protocol implementation in multiple Cisco operating systems. This vulnerability allows an attacker who is in the same broadcast domain (Layer 2 adjacent) to send specially crafted CDP packets that can exhaust system memory resources. When successful, the attack causes the affected device to reload, creating a denial of service condition that disrupts network operations. Since CDP is a Layer 2 protocol, the attacker must have direct network access to the vulnerable device, but does not need authentication credentials to exploit the vulnerability.

Remediation

To address this vulnerability, network administrators should:
1. Update affected Cisco devices to the latest software versions as specified in the Cisco Security Advisory.
2. If immediate patching is not possible, consider disabling CDP on interfaces where it is not operationally required, especially on interfaces facing untrusted networks.
3. Implement network segmentation to limit the potential attack surface.
4. Monitor systems for unexpected reloads that might indicate exploitation attempts.
5. Ensure physical security of network equipment to prevent unauthorized adjacent access.