CDP Risk Analysis

The most obvious risk associated with CDP is the information leak; that is, an attacker learns a lot by listening to CDP. This attack is purely passive—there is no way to detect this information leak, and it causes no damage to the network. Many sniffing tools have the ability to decode CDP, such as Yersinia1 (shown in Figure 11-2), but there are also generic sniffers, such as Ethereal.

Figure 11-2 CDP Packet Decode by Yersinia

Figure 11-2 CDP Packet Decode by Yersinia

After a maximum of 60 seconds, the attacker discovered four Cisco devices, including a Catalyst 3524, as well as information about VTP and native VLAN. The exact Cisco IOS version is not displayed in the figure, but it appears on another Yersinia screen.

NOTE

For more information on Yersinia, see Chapter 5, "Leveraging DHCP Weaknesses."

This information leak is mostly important to

• Software version and hardware platform. An attacker can potentially identify a specific release with a well-known bug that's ready to be exploited.

• Auxiliary VLAN. An attacker can learn which VLAN is used by IP telephony.

NOTE A common misconception of IP telephony security is the belief that using a separate VLAN for voice and data is the best way to achieve security. CDP absolutely kills this misconception. As soon as an attacker learns the voice VLAN by CDP, it is trivial for him to send and receive IEEE 802.1Q tagged frames with the correct VLAN ID. IP telephony security can be achieved by using secure—that is, cryptographically protected—voice and Layer 2 security features (which this book describes). Using a separate VLAN for voice and data makes network operations much easier (addressing, quality of service [QoS], firewall rules, and so on) and is nevertheless worthwhile.

The other risk associated with CDP occurs when an attacker sends forged CDP packets. This leads to several denial of service (DoS) attacks:

• CDP cache overflow. In some Cisco IOS and CatOS releases (see the exact releases in the Cisco Security Notice2), a software bug can reset the switch when it receives too many CDP packets. This issue is now fixed.

• CDP cache pollution. With recent Cisco IOS and CatOS releases, the switches will not reboot anymore; however, the CDP table becomes unusable because it contains a lot of useless and fake information.

• Power exhaustion. By claiming to be a phone, an attacker can reserve some electrical power, denying other valid devices from receiving power from the switch. It also requires some hardware on the attacker's side to fake the electrical signaling, which is discussed in Chapter 8, "What About Power over Ethernet?"

Example 11-1 shows a CatOS cache polluted by Yersinia. It makes the operator task more complex, and it could be used to hide some new devices among bogus ones.

Example 11-1 CDP Cache Polluted by Yersinia

Switch>

sh cdp neighbors

Port

Device-ID

Port-ID

Platform

2/16

2651e

FastEthernet0/1

cisco 2651

2/21

inet3

FastEthernet0/0

cisco 2651

2/36

r2-7206

Ethernet2/0.1

cisco 7206VXR

2/47

00M55I1

Ethernet0

yersinia

2/47

00N55I1

Ethernet0

yersinia

2/47

00N66I1

Ethernet0

yersinia

NOTE The attack in Example 11-1 can be carried out because no authentication is built into CDP.

Although this lack of authentication opens the door to some attacks, it would be difficult to get a strong authentication mechanism in CDP because CDP is used even by bootstrapping devices, such as an IP phone. Also, as long as a device is not part of the network, it is mostly impossible to check for authentication. (For example, no accurate time information is available.) As the next section shows, IEEE made the same decision when specifying IEEE 802.LAB.

Was this article helpful?

+3 -1

Post a comment