Cisco Discovery Protocol

Recently, Cisco issued guidance on how to identify and remediate the effects of five Cisco vulnerabilities in the Cisco Discovery Protocol (CDP) implementation on some Cisco NX-OS devices. The vulnerabilities could, in certain situations, enable an attacker to trigger a memory overflow. It could also gain control of a vulnerable device or cause it to shut down or reload.

According to the impacted devices list in Cisco’s vulnerability alert, only certain NX-OS devices are impacted. Additionally, devices that do not have the Cisco Discovery Protocol service enabled are not vulnerable. Not sure if CDP is enabled on your device? Refer to the process just below the impacted devices list located above to check. Be advised that CDP is enabled by default. Devices are vulnerable in environments where the feature has not been explicitly disabled, even if it is not actively used.

Cisco’s recommendation is for customers with service contracts to download a patched version of the NX-OS software from the Cisco Software Center, and for customers without current service contracts to contact the Cisco TAC service desk and provide them with the URL of the Cisco alert as well as the serial number of their impacted device(s). Devices on which the CDP service has been totally disabled are not vulnerable, but they should still be patched.

As always, we are here to offer the support and any answers you need. For more information on the patching process or with any questions about this vulnerability’s impact on your system, please submit a ticket to our support team or contact your ADNET Engagement Manager directly.