Threat Watch

Advanced Attackers Targeting Cisco Discovery Protocol Vulnerability

An advisory published by the US National Security Agency (NSA) on October 20th warns that attackers continue to exploit many high-profile vulnerabilities, including the Pulse Secure VPN, Citrix ADC, and F5 Big-IP flaws. The warning should be no surprise to anyone in the information security field by now. The advisory also mentioned that attackers are now also making use of CVE-2020-3118, one of the five vulnerabilities in the Cisco Discovery Protocol (CDP) for which a patch is available. At the same time the NSA published the advisory, Cisco updated its customer guidance to indicate that attackers are known to exploit this vulnerability in the wild; and urged its customers to install the patch. In order to attempt to exploit this vulnerability, an attacker would have to have control of a system on the internal network, on the same broadcast domain as the affected Cisco product. The NSA states that the threat group actively exploiting this vulnerability is from China, but does not specify more details to identify which group it has observed.

ANALYST NOTES

Regardless of which threat group is making use of the Cisco vulnerability, this news should increase the level of priority for IT professionals to schedule patching of Cisco products. It is worth reviewing the advisory and checking to ensure that none of the other products with vulnerabilities listed are still unpatched. Systems that face the Internet and accept incoming connections, including VPN or load-balancing systems, are especially at risk when they are not patched promptly after vulnerabilities are disclosed.

To read more information, please see: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
and https://www.securityweek.com/chinese-hackers-target-cisco-discovery-protocol-vulnerability