CDPwn: Taking Over Millions of Enterprise-Things with Layer 2 Zero-Days

Presented at Black Hat Asia 2020 Virtual, Oct. 1, 2020, 12:30 p.m. (40 minutes)

<p dir="ltr"><span>The attack surface exposed by proprietary layer 2 protocols is rarely explored by the research community, and it contains hidden bugs that have severe implications to the security of the devices that use them, as well as the network they belong to. We discovered 5 such zero-day vulnerabilities in a proprietary layer-2 protocol used by a wide variety of enterprise devices. This protocol, unfortunately, is enabled by default on all the affected products, and on all ports of each product, widening the potential attack surface. </span></p><p dir="ltr"><span>The first threat posed by the discovered vulnerabilities affects multiple brands of enterprise-grade switches and routers. From an attacker’s perspective - these network appliances are a valuable asset, as they withhold access to all network segments, and are located in a prime position for traffic exfiltration. By leveraging the vulnerabilities, an unauthenticated attacker can gain full control over the network appliance and move laterally between the VLANs served by it, effectively breaking network segmentation completely.</span></p><p dir="ltr"><span>The second attack scenario affects multiple brands of IP phones and IP cameras, numbering in the tens of millions in use by users and organizations worldwide. An attacker could use the discovered vulnerabilities to simultaneously take over all phones and cameras in a network, by sending a specially crafted broadcast packet throughout the network. Once in control of these devices, the attacker can listen in on calls and view the video feeds, creating the ultimate spying tool.</span></p><p dir="ltr"><span>In our talk, we will demo both attack scenarios, demonstrating the full implications of pwning an organization’s enterprise switch, and the frightening potential a single packet can have in taking over enterprise-grade phones and cameras.</span></p>

Presenters:

• Barak Hadad - Security Researcher, Armis
  Barak Hadad is a security researcher at Armis Labs, responsible for hunting zero days and reverse engineering. Formerly an R&D team lead in the Israeli Defense Forces Intelligence, his current focus is unraveling the mysteries of various embedded devices. While breaking a factory production line is Barak's idea of fun at work, in his free time Barak enjoys gaining as many hobbies as possible, including windsurfing, volleyball, ski, water-ski, volley-ski, ball-water-ski, and of course his favorite, wind-ball-surf-volley-ski.
• Ben Seri - VP Research, Armis
  Ben Seri is the VP of Research at Armis, responsible for vulnerability research and reverse engineering. His main interest is exploring the uncharted territories of unmanaged devices to find common insecurities they share. Prior to Armis, Ben spent almost a decade in the Israeli Defense Forces Intelligence as a researcher and security engineer. In his free time Ben enjoys composing and playing as many instruments as the various devices he's researching.

Links:

• https://www.blackhat.com/asia-20/briefings/schedule/#cdpwn-taking-over-millions-of-enterprise-things-with-layer-2-zero-days-18806

Similar Presentations:

• Black Hat Asia 2021 Virtual / Anti-Forensics: Reverse Engineering a Leading Phone Forensic Tool
• Black Hat USA 2022 / RollBack - A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems
• Black Hat USA 2020 Virtual / A Framework for Evaluating and Patching the Human Factor in Cybersecurity