Cisco Fixes Actively Exploited Bugs In Carrier-Grade Routers
Cisco fixed two actively exploited and high severity memory exhaustion DoS vulnerabilities found in the IOS XR software that runs on multiple carrier-grade routers.
The Cisco IOS XR Network OS is deployed on several router platforms including the NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.
Cisco warned customers on August 29th of ongoing attacks targeting carrier-grade routers running vulnerable Cisco IOS XR software versions.
“On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of these vulnerabilities in the wild,” Cisco explained.
The two denial-of-service (DoS) security flaws — tracked as CVE-2020-3566 and CVE-2020-3569 — exist in the Distance Vector Multicast Routing Protocol (DVMRP) feature of the IOS XR software.
They impact any Cisco device running any Cisco IOS XR Software release if one of the active interfaces is configured under multicast routing.
Remote and unauthenticated attackers who successfully exploit them by sending crafted IGMP traffic can exhaust the targeted routers’ memory.
Also Read: The PDPA Data Breach August 2020: A Recap of 8 Alarming Cases
Security fixes available
While at the time it disclosed the attacks Cisco only provided customers with mitigation measures to block exploitation attempts, the company has now released free Software Maintenance Upgrades (SMUs) to address the two vulnerabilities.
The table embedded below contains information on what fixes should be deployed for each of the two security flaws on affected routers.
| Cisco IOS XR Release | Fix Needed for CSCvv54838 | Fix Needed for CSCvr86414 | Notes |
|---|---|---|---|
| Earlier than 6.6.3 | Yes | Yes | Fixes are provided through bug CSCvv60110, which was created to combine the fixes for both CSCvv54838 and CSCvr86414. SMU names include CSCvv60110. |
| 6.6.3 and later | Yes | No | Fix needed for only CSCvv54838. Releases 6.6.3 and later already contain the fix for CSCvr86414. SMU names include CSCvv54838. |
To find if multicast routing is enabled on a device exposing it to potential attacks, admins can run the show igmp interface command.
For IOS XR routers were the multicast routing feature is not enabled, the output of the command will be empty and the devices are not affected by the two flaws.
Mitigation measures
For vulnerable devices where admins cannot immediately apply the security fixes, Cisco recommends implementing “an access control entry (ACE) to an existing interface access control list (ACL)” or a new ACL to deny inbound DVRMP traffic to interfaces with multicast routing enabled.
Admins are also advised to disable IGMP routing on interfaces where processing IGMP traffic is not necessary.
This can be done by entering IGMP router configuration mode by issuing the router igmp command, selecting the interface using interface, and then disabling IGMP routing using router disable.
In July, Cisco fixed another actively exploited read-only path traversal vulnerability, as well as pre-auth critical remote code execution (RCE), authentication bypass, and static default credential vulnerabilities that could lead to full device takeover.
Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?
0 Comments