On Monday, 10 February, 2020 11:50, "Jean | ddostest.me via NANOG" <nanog@nanog.org> said:
I really thought that more Cisco devices were deployed among NANOG.
I guess that these devices are not used anymore or maybe that I understood wrong the severity of this CVE.
The phones / cameras side of it seems very much like an Enterprise problem. I'm not sure what the split is here of people operating Enterprise networks vs Service Provider, but I'd expect a skew towards the latter. There is some SP kit on the vulnerable list too, but in my experience, CDP there is used to validate L2 topologies amongst SP kit only, and disabled on customer-facing ports. So maybe a "we *do* have CDP turned off everywhere we don't need it, right?" sanity-check, but not necessarily a rush to patch. I'd have expected greater consternation had this hit vanilla-IOS/XE boxes that are likely to be in managed CPE roles, such as ISR and ASR1K. There I can see the potential for CDP to be enabled customer-facing, either for diagnostics with the customer, or for the voice / data VLAN stuff outlined in the article. Regards, Tim.