CVE-2020-7122
📋 TL;DR
Two memory corruption vulnerabilities in Aruba CX Switches allow local denial of service attacks against the CDP process. Attackers with local access can crash the CDP service, potentially disrupting network discovery and management. Affects Aruba CX 6200F, 6300, 6400, 8320, 8325, and 8400 series switches running firmware versions before 10.04.1000.
💻 Affected Systems
- Aruba CX 6200F
- Aruba CX 6300
- Aruba CX 6400
- Aruba CX 8320
- Aruba CX 8325
- Aruba CX 8400
📦 What is this software?
Cx 6200f Firmware by Arubanetworks
Cx 6300 Firmware by Arubanetworks
Cx 6400 Firmware by Arubanetworks
Cx 8320 Firmware by Arubanetworks
Cx 8325 Firmware by Arubanetworks
Cx 8400 Firmware by Arubanetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of CDP functionality leading to network discovery failures and potential cascading network issues if CDP is critical for topology mapping.
Likely Case
Local denial of service causing temporary CDP process crashes requiring process restart or system reboot.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting local access to switch management interfaces.
🎯 Exploit Status
Requires local access to the switch and knowledge of memory corruption techniques. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.04.1000 or later
Vendor Advisory: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-009.txt
Restart Required: Yes
Instructions:
1. Download firmware version 10.04.1000 or later from Aruba support portal. 2. Backup current configuration. 3. Upload new firmware to switch. 4. Install firmware using 'install add' command. 5. Reboot switch to activate new firmware.
🔧 Temporary Workarounds
Disable CDP
allCompletely disable Cisco Discovery Protocol if not required for network operations
no cdp enable
Restrict Management Access
allLimit local access to switch management interfaces to trusted administrators only
management-access-filter ipv4 <trusted-subnet>
management-access-filter ipv6 <trusted-subnet>
🧯 If You Can't Patch
- Implement strict access controls to limit who can access switch management interfaces
- Monitor switch logs for CDP process crashes or unusual memory usage patterns
🔍 How to Verify
Check if Vulnerable:
Check firmware version with 'show version' command. If version is below 10.04.1000, system is vulnerable.Check Version:
show version | include VersionVerify Fix Applied:
After patching, verify firmware version is 10.04.1000 or higher using 'show version' command.📡 Detection & Monitoring
Log Indicators:
- CDP process crashes
- Memory corruption errors in system logs
- Unexpected process restarts
Network Indicators:
- Loss of CDP neighbor discovery
- Missing CDP packets from affected switches
SIEM Query:
source="aruba-switch" AND (event="cdp_crash" OR event="memory_corruption" OR message="*CDP*restart*")