CVE-2020-3120 Overview
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for Cisco FXOS Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to a missing check when the affected software processes Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device, causing system memory exhaustion and triggering a device reload.
Critical Impact
Successful exploitation allows an adjacent attacker to cause network infrastructure devices to reload, disrupting network connectivity and potentially affecting all dependent services and systems.
Affected Products
- Cisco Firepower Extensible Operating System (FXOS)
- Cisco IOS XR Software (versions 5.2.5, 6.4.2, 6.5.3, 6.6.25, 7.0.1)
- Cisco NX-OS Software
- Cisco Firepower 4100 and 9300 Series Appliances
- Cisco ASR 9000 Series Aggregation Services Routers
- Cisco NCS 540, 560, 5500, and 6000 Series Routers
- Cisco Nexus 1000v, 3000, 5000, 7000, and 9000 Series Switches
- Cisco MDS 9000 Series Multilayer Switches
- Cisco UCS Fabric Interconnects (6200, 6300, and 6400 Series)
Discovery Timeline
- February 5, 2020 - CVE-2020-3120 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-3120
Vulnerability Analysis
This vulnerability affects the Cisco Discovery Protocol implementation across multiple Cisco operating systems. CDP is a Layer 2 protocol used by Cisco devices to share information with directly connected Cisco equipment. The flaw allows an unauthenticated attacker positioned in the same broadcast domain (Layer 2 adjacent) to send specially crafted CDP packets that exhaust system memory, leading to a device reload.
The vulnerability exists because the affected software fails to properly validate CDP messages before processing them. When a malicious CDP packet is received, the software does not perform adequate boundary checks, resulting in memory exhaustion. Since CDP operates at Layer 2, the attacker must have direct access to the same network segment as the target device—remote exploitation over the internet is not possible without first compromising an adjacent system.
The impact is significant for enterprise environments where Cisco infrastructure devices serve as critical network backbones. A successful attack could disrupt all network traffic flowing through the affected device until it completes its reload cycle.
Root Cause
The root cause is an Integer Overflow vulnerability (CWE-190) in the CDP message processing code. The affected software lacks proper validation checks when handling certain fields within CDP packets. This missing check allows an attacker to craft malicious CDP messages that cause the device to allocate excessive memory, eventually exhausting available system resources and forcing a reload.
Attack Vector
The attack requires Layer 2 adjacency to the target device—the attacker must be in the same broadcast domain. This can be achieved through:
- Physical access to the network segment where the vulnerable device operates
- Compromising another device on the same VLAN
- Exploiting switch misconfigurations that allow VLAN hopping
Once positioned, the attacker sends crafted CDP packets to the device's Layer 2 interfaces. CDP is enabled by default on most Cisco devices, making many installations potentially vulnerable without explicit configuration changes.
The exploitation mechanism involves sending CDP messages with malformed or oversized field values that trigger integer overflow conditions during memory allocation. The device attempts to allocate memory based on these corrupted values, leading to resource exhaustion and system instability.
Detection Methods for CVE-2020-3120
Indicators of Compromise
- Unexpected device reloads or crashes with memory exhaustion errors in system logs
- High memory utilization on affected devices immediately preceding crashes
- Unusual CDP packet activity or malformed CDP frames captured on network segments
- Core dump files indicating memory allocation failures in CDP processing functions
Detection Strategies
- Monitor syslog messages for memory exhaustion events and unexpected reload notifications on Cisco infrastructure devices
- Implement network traffic analysis to detect anomalous CDP packet patterns or unusually high CDP traffic volumes
- Configure SNMP traps to alert on device reloads and memory threshold violations
- Deploy packet capture capabilities on critical network segments to identify malformed CDP frames
Monitoring Recommendations
- Enable CDP packet logging on network monitoring systems to track message frequency and content
- Set up automated alerting for device availability monitoring with rapid notification of unexpected outages
- Review device crash logs and core dumps for evidence of exploitation attempts
- Implement baseline monitoring of memory utilization on critical Cisco infrastructure devices
How to Mitigate CVE-2020-3120
Immediate Actions Required
- Apply vendor-supplied patches from Cisco for all affected FXOS, IOS XR, and NX-OS devices
- Disable CDP on interfaces where it is not required for network operations
- Implement network segmentation to limit Layer 2 adjacency exposure for critical infrastructure
- Enable 802.1X port-based access control to prevent unauthorized devices from sending CDP traffic
Patch Information
Cisco has released software updates addressing this vulnerability. Organizations should consult the Cisco Security Advisory for specific fixed software versions applicable to their deployments. The advisory provides detailed information on affected versions and corresponding patches for FXOS, IOS XR, and NX-OS platforms.
Additional technical details and exploitation context are available from Packet Storm Security.
Workarounds
- Disable Cisco Discovery Protocol globally or on specific interfaces where device discovery is not needed using no cdp enable or no cdp run
- Implement strict VLAN segmentation to limit the broadcast domains accessible from untrusted network segments
- Enable port security features to restrict which devices can connect to switch ports
- Consider using LLDP (Link Layer Discovery Protocol) as an alternative where CDP functionality is required, after verifying it is not affected
# Disable CDP globally on Cisco IOS/NX-OS devices
configure terminal
no cdp run
exit
write memory
# Disable CDP on specific interface
configure terminal
interface GigabitEthernet0/1
no cdp enable
exit
write memory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
