Some time ago, I was searching online for information about vulnerabilities in popular networking devices. One of the links I came across concerned the CVE-2025-0116 vulnerability related to the handling of the LLDP (Link Layer Discovery Protocol) by Palo Alto devices." Intrigued by the description, I decided to check how it looks on my own device in a home lab environment. Below you'll find some details about it. Here w go...
Today we'll start here:
I chose to continue the tests in the setup I mentioned in one of my recent posts about a vulnerability in the CLI-handling application found in Palo Alto.
Below are some notes I gathered on the topic..."
Protocol Description
"The LLDP (Link Layer Discovery Protocol) is a standardized network protocol operating at the data link layer (Layer 2 of the OSI model), which allows network devices to exchange information about their configuration and parameters.
It enables automatic discovery of neighboring devices such as switches, routers, or access points, and the collection of data about their MAC addresses, IP addresses, names, ports, and network capabilities. LLDP is based on transmitting TLV (Type-Length-Value) frames that contain various types of information in a standardized format. It is widely used in network management, making it easier to map topology and configure devices.
The protocol is vendor-neutral, which distinguishes it from similar solutions like Cisco CDP. It operates in multicast mode, sending information periodically or when a configuration change occurs. LLDP is defined in the IEEE 802.1AB standard and is supported by most modern network devices."
At this stage, I decided to explore the potential use and application of the LLDP protocol in the context of Palo Alto devices. A brief outline of the concept is provided below:
"LLDP support in Palo Alto Networks devices is available on firewalls, enabling
the discovery of neighboring devices and their parameters at Layer 2 of the OSI
model. (...) LLDP must be enabled globally as well as on selected interfaces,
and an LLDP profile must be configured to define the mode (transmit/receive)
and optional TLVs.
The firewalls support only one MAC address for LLDP frames (01-80-C2-00-00-0E), and the information is stored in the MIB database accessible via SNMP. LLDP facilitates network management, especially in virtual wire topologies where firewalls are invisible to tools like ping or traceroute. (...) It is also possible to configure the transmission interval (default: 30 seconds) and hold time (default: 120 seconds)."
As I continued researching the topic, I came across the following information:
"The MAC address 01-80-C2-00-00-0E is a standard multicast address used by the LLDP protocol, as defined in the IEEE 802.1AB specification. (...) All LLDP-compliant devices, including Palo Alto firewalls, use this address to send and receive LLDP frames in multicast mode. In the case of Palo Alto, this means that the firewalls do not use any other MAC addresses for LLDP, which is in line with the universal protocol specification."
I found all of this information interesting and useful as a foundation for broader research on the protocol in my home lab.
Environment Setup
While
reading about the LLDP protocol and its potential use in penetration testing, I
installed and configured two virtual machines: Kali and Palo Alto (similar to
the setup described earlier in this post).
Unlike in previous tests, this time I used VMware to install both machines.
In the meantime—while researching how to install and configure a suitable testing environment—I learned that in LLDP-related tests involving virtualization (e.g., Palo Alto), devices may not "see" each other properly. To avoid this issue, both network interfaces (on the Kali and Palo Alto machines) should be set to Bridge mode. This allows the devices to "communicate" via LLDP and enables us, in later steps, to sniff traffic and easily debug or interact using our custom LLDP fuzzing client.
To summarize:
On the latest version of Kali Linux, I installed Scapy to facilitate working on potential tools (for this purpose,
I planned to use Python 3).
As for the
installation and configuration of the Palo Alto device:
I used version 11.1.4-h7 (as
described in a previous post) with "default settings." The changes I
made specifically for conducting the LLDP-related tests are presented below:
|
configure set network lldp enable yes commit |
Checking whether Wireshark could detect any LLDP communication—I unfortunately didn’t see any results, so I decided to read up on configuring LLDP support via the CLI. Following this lead, I found additional settings which I applied on the Palo Alto device to complete the configuration and actually enable LLDP:
|
configure set network lldp enable yes set zone trust network layer3 set network interface ethernet ethernet1/1 layer3 ip 192.168.56.1/24 set network interface ethernet ethernet1/1 zone trust set network interface ethernet ethernet1/1 lldp enable yes set network interface ethernet ethernet1/1 management-profile allow-ping commit show interface ethernet1/1 |
At this stage, we should already have the environment ready for further testing
Purpose and Description of the Study
Taking into account the information gathered above, my goal was not to replicate the attack described in the CVE. This time, I aimed for different results, so I divided the work into several stages:
· creating a simple "LLDP client" — a program designed to send LLDP packets via a network interface (e.g., eth0) on Kali Linux
· creating a simple "LLDP sniffer" — a program intended to listen to the network to detect information transmitted using LLDP
· creating a simple "LLDP fuzzer" — with which I could prepare attack scenarios against devices using this protocol for communication
Equipped with Python 3, Scapy, Wireshark, and tcpdump, I decided to start working using Kali Linux (as the "pentester's station") installed earlier.
My goal was to develop several simple "tools" (scripts) that could potentially be used in future penetration tests of network infrastructures.
Verification of potential vulnerabilities (e.g., through collecting and analyzing data from tested network devices, logs, memory dumps) is beyond the scope of this document and is therefore left to the reader.
Basic "LLDP client"
An example of a simple client using LLDP is shown below:
(Full code is available here.)
The assumptions for the code operation are:
· to construct a simple LLDP packet
· to "broadcast" the created LLDP packet within the tested network.
During this test, I used Wireshark to confirm the client's operation:
The code created in this way enabled me, in the next steps, to build a simple fuzzer utilizing the LLDP protocol.
Basic
“LLDP Sniffer”
An example of a simple sniffer detecting messages using LLDP is shown below:
The assumptions for the code operation are:
· detecting communication using the LLDP protocol in the tested network
· detecting network devices.
An example of the sniffer’s operation is shown in the screenshot below:
At the beginning, we focus on simply detecting LLDP communication in the network where the pentest is being conducted. In subsequent stages of updating this simple sniffer’s code, we can modify the way packets are analyzed to try to extract more data potentially interesting from the perspective of our study.
My interest was whether LLDP packets would be visible to the sniffer and if I could prepare the script code in a way that would facilitate identifying Palo Alto machines.
While modifying the code, I decided to add more information to the displayed results upon detecting LLDP communication. The updated code is presented in the box below:
(Full code is available here.)
An example of the operation and results is shown below:
Basic “LLDP Fuzzer”
The goal I set here was to create a simple LLDP fuzzer. However, considering how the protocol works, I decided that the fuzzer would focus on sending rather than sending and receiving data. We are not “attacking” a typical client-server application here; instead, we politely wait for (possible) messages from the server — in our case, for what a given device XYZ propagates in the network we are pentesting.
An example of a simple fuzzer utilizing LLDP is shown below:
(Full code is available here.)
Sample results after running this fuzzer (along with visible results obtained using the sniffer whose code was presented in the previous section of this document):
The code operation at this stage can be described as:
· modifying specific fields (e.g., System Name)
· attempting to send the modified packet.
Enhancing the fuzzer’s functionality
Considering the potential of the LLDP protocol, my next steps were aimed
at increasing the modification of additional script elements.
The code below adds the classify_payload() function, the ability to modify OUI and subtype, and support for the --once parameter to send only
one packet.
The updated fuzzer code is presented below:
(Full code is available here.)
An example of the code in action is shown in the screenshot below:
Enhancing the sniffer’s functionality
My main goal for the LLDP sniffer was to identify as many different network devices as possible that we might encounter during penetration tests in the Client’s network.
After some minor modifications, the sniffer code is presented in the table below:
(Full code is available here.)
An example of the sniffer’s operation is shown in the screenshot below:
To enhance the detection of other devices, I modified the code — the final version is presented in the table below:
The operation of the updated version is shown in the screenshot below:
Outro
All codes described in this article are available here.
Here are a few links that were helpful to me
while creating this document:
• https://security.paloaltonetworks.com/CVE-2025-0116
• https://nvd.nist.gov/vuln/detail/cve-2024-20294
• https://www.armis.com/research/cdpwn
• https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-networking-admin/lldp/configure-lldp
• https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Wi-Fi-Cloud/discover/monitor/monitor_switch.html
• https://code610.blogspot.com
I encourage you to continue exploring on your own. ;)
Have fun and remember to use it only for legal purposes!
Znam, znam. Chujowe. ;D
OdpowiedzUsuń;* ;)
Usuń