Cisco IOS XR Zero-Day Vulnerability is Being Actively Exploited in the Wild

A high severity zero-day vulnerability has been found in Cisco IOS XR – An Internetwork Operating System (IOS) that is shipped with Cisco’s networking equipment. The vulnerability allows an unauthenticated, remote attacker to exhaust process memory and crash the other processes running on the affected device.


Vulnerability Details(CVE-2020-3566 ):

Cisco has released a security advisory and warned of an actively exploited zero-day vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software that is installed on carrier-grade and data center routers according to Cisco.

According to Cisco’s advisory: “The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit the vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.”

The vulnerability could affect any Cisco device that is running any release of Cisco IOS XR Software along with multicast routing enabled for an active interface.

Check if Multicast routing is enabled:

An administrator can determine if multicast routing is enabled on the device by using “show igmp interface” command. Multicast routing is not enabled if the output of the command is empty. If the output of the command is as follows then multicast routing is enabled on the device.

show igmp interface

Credit: Cisco advisory

Check if Device Is Receiving DVMRP Traffic:

An administrator can determine if the device is receiving DVMRP traffic by using “show igmp traffic” command. From the following image, if the Received column of DVMRP packets entry contains value of zero and if it continues to remain zero even on subsequent executions of the command, then the device is not receiving DVMRP traffic.

show igmp traffic

Credit: Cisco advisory

Indicators of Compromise:

The following entries may be seen in the system logs when a device is compromised.

Credit: Cisco advisory


Impact:

The vulnerability allows an unauthenticated, remote attacker to exhaust process memory and crash the other processes running on the affected device.


Affected Application:

The vulnerability affects all versions of Cisco IOS XR Software installed on any Cisco device, with multicast routing enabled for an active interface.


Solution:

Cisco is yet to release an update for this vulnerability. However, there are mitigations available for the users based on their requirement.

1. IGMP traffic rate limiter:

An Administrator can use lpts pifib hardware police flow igmp rate command to limit the traffic rate against the current average traffic rate. This command will not remove the vector needed for exploitation but it will reduce the traffic rate and increase the time necessary for exploitation which in turn will give more time to the administrator to perform recovery actions.

                 lpts pifib hardware police flow igmp rate <value>

2. access control entry (ACE) or access control list (ACL)

An Administrator can create ACE to an existing ACL or create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface. The following command can be used to implement an ACL

                 ipv4 access-list <acl_name> deny igmp any any dvmrp

Subscribe For Latest Updates

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
Summary
Cisco IOS XR Actively Exploited Zero Day Vulnerability Allows Memory Exhaustion
Article Name
Cisco IOS XR Actively Exploited Zero Day Vulnerability Allows Memory Exhaustion
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *