I think we’ve all seen the new CDP “exploit” by now. First, I don’t want to diminish the concern one should have regarding PSIRT notices; however, I urge everyone to exercise some deductive logic upfront before making assumptions. In today’s world where all “news outlets” sensationalize their stories to drive clicks, which also drive revenue, it is paramount we, as IT professionals, abstract the rhetoric from the scientific. Upfront, I do work for Cisco, but the opinions expressed in this blog post are my own and do not represent the position or opinion of Cisco Systems.
You can view the information directly from the Cisco Website, using this link.
“Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).“
The above is what you, the Data Center network engineer, should take notice of. Generally speaking, we do not extend Layer 2 broadcast domains from the Campus to the Data Center; thus, think clearly about this issue because if someone was able to plug something into your data center network, you should first ask yourself how someone even got into your secured data center environment in the first place!
Second, in the data center, there isn’t really a dire need to have CDP enabled. In fact, for technologies like VMM integration and Cisco ACI fabric discovery and stand up, we use LLDP; thus, in the modern data center, you can just disable CDP globally because LLDP is being leveraged more often.
Third, and final, think carefully about the fact that someone would need to have gained physical access to your data center network to accomplish this exploit; thus, before we start to panic about the exploit, in regards to the data center, you should be in a major panic/freakout mode that someone was able to just gain access to your highly secure data center!
Once again, I do not want to diminish the concerns a PSIRT brings, we should take all precautions to safeguard our networks when these PSIRTs are released. As engineers, we do our part by receiving these notifications, but we’re also human and we read other materials from outsiders who cover the technology sector too, sometimes, gain a different perspective. This being said, I always urge people to separate the rhetoric from fact, people often sensationalize headlines for clicks to obtain revenue, even if it means bending the truth a little far, which may not make them wrong, but it shouldn’t create artificial panic if we apply the scientific method to these types of things.