Advisory Overview
A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. A successful exploit by such an attacker could cause memory exhaustion, resulting in the instability of other processes. SKOUT recommends following the mitigation steps provided by Cisco and updating Cisco software regularly to address vulnerabilities as fixes are released and become available.
Technical detail and additional information
What is the threat?
The security flaw that resides in Cisco’s IOS XR Software is considered a high-severity zero-day vulnerability and attackers have been actively trying to exploit the vulnerability in Cisco networking devices. Cisco’s IOS XR Software is an operating system for carrier-grade routers and other networking devices used by telecommunications and data center providers. As of this writing, Cisco has not provided a timeline for when a patch for the vulnerability will be released.
Why is this noteworthy?
The vulnerability is being tracked as CVE-2020-3566 and is described as a vulnerability that, if exploited, could cause memory exhaustion and the instability of other processes including but not limited to interior and exterior routing protocols. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. To exploit this vulnerability, an attacker could send crafted IGMP traffic to an affected device.
What is the exposure or risk?
Cisco has not elaborated whether attacks on this vulnerability could cause other issues aside from memory exhaustion and the subsequent disruption of various processes. The company has rated the severity of the vulnerability as “high” with a Common Vulnerability Scoring System (CVSS) rating of 8.6 out of 10. These vulnerabilities affect any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing and it is receiving DVMRP traffic.
What are the recommendations?
- SKOUT recommends familiarizing yourself with the summary and details at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz
- Run the suggested administrator commands to determine whether multicast routing is enabled on a given device.
- Determine whether the device is receiving DVMRP traffic.
- Check for Indicators of Compromise and mitigate/remediate as instructed within the Cisco Security Advisory.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.helpnetsecurity.com/2020/09/01/zero-day-cisco-enterprise-routers/
- https://www.bleepingcomputer.com/news/security/cisco-warns-of-actively-exploited-bugs-in-carrier-grade-routers/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz
If you have any questions, please contact our Security Operations Center.