Recently, Cisco warned about a new zero-day vulnerability in its IOS XR, called CVE-2020-3566. This flaw was found in the Distance Vector Multicast Routing Protocol (DVMRP) feature on August 28, 2020. A zero-day vulnerability is being exploited by allowing a remote, authenticated attacker to perform memory exhaustion attacks and crash other processes running on the Cisco IOS XR.
For example, the attacker can crash security mechanisms and gain access to the device. However, this possibility is just a theory and it is unclear how this bug is really used by attackers. Cisco explained how this bug makes IOS XR insecure:
The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.
According to the National Vulnerability Database (NVD) information, the risk posed by CVE-2020-3566 vulnerability is “high”. This flaw is in all Cisco devices with IOS XR software if the software was configured to use multicast routing.
Cisco reported that the attacks were detected last week during the investigation of a support case the company’s team was working on. The company assured customers that its currently trying to develop software updates for IOS XR devices. But it’s still unclear when these flaw fixes will be available.
Firstly Cisco recommends administrators to determine whether the device is receiving DVMRP traffic or not. If after “show igmp traffic” command the “DVMRP packets” line shows zero in the first column and remains as zero on subsequent execution of the command, then the IOS XR software is not receiving DVMRP traffic and is safe from CVE-2020-3566 vulnerability.
While this problem is still not fixed, Cisco has described detailed advisory with multiple mitigation steps for the administrators. There are possible ways to reduce the risk of CVE-2020-3566 vulnerability exploitation. The company recommends to:
This command will not remove the exploit vector. However, the command will reduce the traffic rate and increase the time necessary for successful exploitation. The customer can use this time to perform recovery actions.
Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface.
These steps are only partial mitigations and not the full workarounds. It is clear that while Cisco is still trying to work on necessary software updates, IOS XR software administrators should be very careful.
Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.
Contact Julie Splinters
About the company Esolutions
This entry was posted on 2020-09-02 at 06:21 and is filed under News, Web browsers and vulnerabilities.
Get the latest security news, full analysis of the newest computer threats, and easy-to-use prevention tips. Subscribe to 2-spyware.com newsletter!
If you do not want to receive our newsletter, please unsubscribe here
World news – US – Zero-day flaw allows attacking Cisco IOS XR devices