Cisco Warns Of Actively Exploited Bug In Carrier-Grade Routers

Cisco Warns Of Actively Exploited Bug In Carrier-Grade Routers

Image: Taylor Vick

Cisco warned over the weekend that threat actors are trying to exploit a high severity memory exhaustion denial-of-service (DoS) vulnerability in the company’s Cisco IOS XR software that runs on carrier-grade routers.

Cisco’s IOS XR Network OS is deployed on multiple router platforms including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.

Cisco hasn’t yet released software updates to address this actively exploited security flaw but the company provides mitigation in a security advisory published over the weekend.

“On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild,” Cisco explains.

“For affected products, Cisco recommends implementing a mitigation that is appropriate for the customer’s environment.”

Affects all Cisco IOS XR routers (if multicast routing is enabled)

The CVE-2020-3566 bug exists in the Distance Vector Multicast Routing Protocol (DVMRP) feature of the IOS XR software and it may allow remote and unauthenticated attackers to exhaust the targeted device’s memory.

“The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets,” the security advisory explains.

“An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes.

“These processes may include, but are not limited to, interior and exterior routing protocols.”

According to Cisco, the security flaw tracked as CVE-2020-3566 affects any Cisco device running any Cisco IOS XR Software release if one of their active interfaces is configured under multicast routing.

To determine if multicast routing is enabled on a device, admins can run the show igmp interface command. For IOS XR routers were multicast routing is not enabled, the output will be empty and the devices are not affected by CVE-2020-3566.

On devices where this vulnerability was used to exhaust memory, admins can see system log messages similar to the ones in the screenshot embedded below.

Also read: Top 8 Main PDPA Obligations To Boost And Secure Your Business

Mitigation measures

Cisco says that admins can take measures to partially or fully remove the exploit vector threat actors could use in attacks targeting devices vulnerable against CVE-2020-3566 exploits.

Admins can implement rate-limiting to reduce IGMP traffic rates and increase the time needed to successfully exploit CVE-2020-3566, time that can be used for recovery.

Customers can also “implement an access control entry (ACE) to an existing interface access control list (ACL)” or a new ACL to deny inbound DVRMP traffic to interfaces with multicast routing enabled.

Cisco recommends disabling IGMP routing on interfaces where processing IGMP traffic is not necessary by entering IGMP router configuration mode.

This can be done by issuing the router igmp command, selecting the interface using interface , and disabling IGMP routing using router disable.

Last month, Cisco fixed another high severity and actively exploited read-only path traversal vulnerability tracked as CVE-2020-3452 and affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software.

One week earlier, the company issued another set of security updates to address pre-auth critical remote code execution (RCE), authentication bypass, and static default credential vulnerabilities affecting multiple firewall and router devices that could lead to full device takeover.

Also read: How To Check Data Breach And How Can We Prevent It