CDPwn: Taking Over Millions of Enterprise-Things with Layer 2 Zero-days presented at BlueHatIL 2020

by Ben Sarel,


Summary : The attack surface exposed by proprietary layer 2 protocols is rarely explored by the research community, and it contains hidden bugs that have severe implications to the security of the devices that use them, as well as the network they belong to. We discovered 5 such zero-day vulnerabilities in a proprietary layer-2 protocol used by a wide variety of enterprise devices. This protocol, unfortunately, is enabled by default on all affected products, and on all ports of each product, widening the potential attack surface.The first threat posed by the discovered vulnerabilities affects multiple brands of enterprise-grade switches and routers. From an attacker's perspective - these network appliances are a valuable asset, as they withhold access to all network segments, and are located in a prime position for traffic exfiltration. By leveraging the vulnerabilities, an unauthenticated attacker can gain full control over the network appliance and move laterally between the VLANs served by it, effectively breaking network segmentation completely.The second attack scenario affects multiple brands of IP phones and IP cameras, numbering in the tens of millions in use by users and organizations worldwide. An attacker could use the discovered vulnerabilities to simultaneously take over all phones and cameras in a network, by sending a specially crafted broadcast packet throughout the network. Once in control of these devices, an attacker can listen in on calls and view the video feeds, creating the ultimate spying tool.In our talk, we will demo both attack scenarios, demonstrating the full implications of pwning an organization's enterprise switch, and the frightening potential a single packet can have in taking over enterprise-grade phones and cameras.​