CVE-2020-3118 Overview
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability stems from improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious CDP packet to an affected device. A successful exploit could allow the attacker to cause a stack overflow, enabling arbitrary code execution with administrative privileges on the affected device.
Critical Impact
This vulnerability allows unauthenticated attackers within the same broadcast domain (Layer 2 adjacent) to achieve full administrative code execution or cause device reloads, potentially disrupting critical network infrastructure. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating confirmed exploitation in the wild.
Affected Products
- Cisco IOS XR Software (versions 5.2.5, 6.4.2, 6.5.3, 6.6.25, 7.0.1 and related versions)
- Cisco ASR 9000 Series (including ASR 9000, 9000V, 9001, 9006, 9010, 9901, 9903, 9904, 9906, 9910, 9912, 9920, 9922)
- Cisco NCS 540 Series (including NCS 540-12Z20G-SYS-A/D, 540-24Z8Q2C-SYS, 540-28Z4C-SYS-A/D, 540-ACC-SYS, 540L)
- Cisco NCS 540X Series (including NCS 540X-12Z16G-SYS-A/D, 540X-16Z4G8Q2C-A/D, 540X-ACC-SYS)
- Cisco NCS 5500 Series (including NCS 5501, 5501-SE, 5502, 5502-SE, 5508, 5516)
- Cisco NCS 560 and NCS 6000 Series (including NCS 6008)
- Cisco XRv 9000 and CRS-X
Discovery Timeline
- 2020-02-05 - CVE-2020-3118 published to NVD
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2020-3118
Vulnerability Analysis
This vulnerability affects the Cisco Discovery Protocol implementation in IOS XR Software, enabling remote code execution through a stack overflow condition. Cisco Discovery Protocol is a Layer 2 protocol used for device discovery and neighbor identification in Cisco network environments. The vulnerability arises when the CDP parsing routines process specially crafted protocol messages containing malformed string data.
The attack requires the adversary to be positioned within the same broadcast domain as the target device, meaning they must have Layer 2 adjacency. This constraint limits remote exploitation over the internet but makes the vulnerability particularly dangerous in compromised network segments or environments with insider threats. Once exploitation is successful, the attacker gains administrative-level code execution privileges on the affected device.
The vulnerability has been classified under CWE-134 (Use of Externally-Controlled Format String) and CWE-787 (Out-of-bounds Write), reflecting both the format string manipulation vector and the memory corruption outcome.
Root Cause
The root cause of this vulnerability is improper validation of string input from certain fields within CDP messages. The CDP parsing code fails to adequately validate the length and content of string data before copying it to stack-based buffers. This insufficient input validation allows an attacker to supply oversized or specially crafted strings that overflow the allocated buffer space on the stack.
When the overflow occurs, the attacker can overwrite critical stack data including return addresses and function pointers. By carefully constructing the malicious CDP packet payload, an attacker can redirect program execution to attacker-controlled code, achieving arbitrary code execution with the privileges of the CDP processing daemon.
Attack Vector
The attack is carried out by transmitting malicious Cisco Discovery Protocol packets to vulnerable devices. CDP operates at Layer 2, meaning packets are not routed and exploitation requires the attacker to be within the same broadcast domain as the target. The attack does not require authentication or user interaction, making it particularly dangerous in shared network environments.
Attack scenarios include:
- An attacker with physical access to the network connecting a rogue device to send malicious CDP frames
- A compromised endpoint within the network being used to transmit crafted CDP packets
- An attacker leveraging VLAN hopping or other Layer 2 attacks to reach the target broadcast domain
The exploitation can result in either arbitrary code execution with administrative privileges or a device reload causing denial of service. Given the critical nature of the affected devices (ASR, NCS routers), successful exploitation could have significant impact on network availability and security.
For detailed technical information on the exploitation mechanism, refer to the Packet Storm Exploit Report.
Detection Methods for CVE-2020-3118
Indicators of Compromise
- Unusual or unexpected CDP packets with abnormally long field values observed on network interfaces
- Device reloads or crashes without apparent cause, particularly on CDP-enabled interfaces
- Unexpected processes or administrative sessions on affected Cisco IOS XR devices
- Anomalous memory consumption or stack-related errors in device logs
Detection Strategies
- Deploy network intrusion detection systems (NIDS) with signatures for malformed CDP packets
- Monitor for CDP frames with field lengths exceeding normal specifications
- Implement packet capture on critical network segments to identify suspicious Layer 2 traffic
- Review device crash logs and core dumps for evidence of stack overflow conditions
Monitoring Recommendations
- Enable CDP packet logging and inspection on network monitoring infrastructure
- Configure SIEM rules to alert on device crashes or unexpected reloads of affected Cisco platforms
- Monitor CDP neighbor tables for unexpected or unauthorized device entries
- Implement network segmentation monitoring to detect potential Layer 2 attack vectors
How to Mitigate CVE-2020-3118
Immediate Actions Required
- Apply Cisco security patches to all affected IOS XR Software installations immediately
- Disable CDP on interfaces where it is not required to reduce attack surface
- Implement Layer 2 network segmentation to limit broadcast domain exposure
- Monitor the CISA Known Exploited Vulnerabilities Catalog for updated guidance
Patch Information
Cisco has released software updates that address this vulnerability. Organizations should consult the Cisco Security Advisory for specific fixed software versions applicable to their deployment. The advisory provides detailed version information and upgrade guidance for all affected platforms.
Workarounds
- Disable Cisco Discovery Protocol globally or on specific interfaces where it is not operationally required
- Implement access control lists (ACLs) at Layer 2 to restrict which devices can participate in CDP exchanges
- Use network access control (NAC) solutions to prevent unauthorized devices from connecting to the network
- Deploy 802.1X port-based authentication to verify device identity before granting network access
# Disable CDP on a specific interface (IOS XR)
interface GigabitEthernet0/0/0/0
no cdp
# Disable CDP globally (IOS XR)
cdp
no cdp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
