Cisco has disclosed a vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware. The issue lies in the insufficient input validation of received Cisco Discovery Protocol packets and could be exploited to achieve remote code execution or a denial of service condition. Cisco plans to release updates to address the vulnerability. A suggested mitigation is to disable Cisco Discovery Protocol on affected IP Phone 7800 and 8800 Series devices.
- So far, no patch has been released. You may only disable CDP if you have LLDP enabled.
- This vulnerability looks pretty serious for Cisco phones. CDP is a well-used protocol that does not require authentication and generally is gratuitously sent on the network. If a CDP packet can lead to a remote code execution, then patch these devices now. I cannot stress this enough, patch now. I still find very vulnerable network devices unpatched on a network, even when it is trivial to exploit, and the vulnerability has been known for over ten years. I cannot stress that a CDP packet that can cause RCE is terrible. Once someone is on one of these devices, they can quickly pivot to other parts of the network. If you cannot patch at this time, please make sure that these devices are on their network and that these networks are firewalled away from the data networks.
Read more in