Cisco Warns Of Actively Exploited Bugs In Carrier-Grade Routers
Image: Taylor Vick
09/01/20 Update below. This post was originally published on August 31st, 2020. We updated it to reflect that there are two actively exploited DVMRP Memory Exhaustion Vulnerabilities according to Cisco’s updated security advisory.
Cisco warned over the weekend that threat actors are trying to exploit two high severity memory exhaustion denial-of-service (DoS) vulnerabilities in the company’s Cisco IOS XR software that runs on carrier-grade routers.
Cisco’s IOS XR Network OS is deployed on multiple router platforms including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.
Cisco hasn’t yet released software updates to address these actively exploited zero-days — tracked as CVE-2020-3566 and CVE-2020-3569 — but the company provides mitigation in a security advisory published over the weekend.
“On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of these vulnerabilities in the wild,” Cisco explains.
“For affected products, Cisco recommends implementing a mitigation that is appropriate for the customer’s environment.”
All Cisco IOS XR routers affected (if multicast routing is enabled)
The zero-days exist in the Distance Vector Multicast Routing Protocol (DVMRP) feature of the IOS XR software and it may allow remote and unauthenticated attackers to exhaust the targeted device’s memory.
“These vulnerabilities are due to insufficient queue management for Internet Group Management Protocol (IGMP) packets,” the security advisory explains.
“An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes.
“These processes may include, but are not limited to, interior and exterior routing protocols.”
According to Cisco, the security flaws affect any Cisco device running any Cisco IOS XR Software release if one of their active interfaces is configured under multicast routing.
To determine if multicast routing is enabled on a device, admins can run the show igmp interface command. For IOS XR routers were multicast routing is not enabled, the output will be empty and the devices are not affected by CVE-2020-3566.
On devices where these vulnerabilities were exploited to exhaust memory, admins can see system log messages similar to the ones in the screenshot embedded below.
Also read: Top 10 Exceptional And Creative Website Design Guidelines
Mitigation measures
Cisco says that admins can take measures to partially or fully remove the exploit vector threat actors could use in attacks targeting devices vulnerable against CVE-2020-3566 and CVE-2020-3569 exploits.
Admins can implement rate-limiting to reduce IGMP traffic rates and increase the time needed to successfully exploit the two flaws, time that can be used for recovery.
Customers can also “implement an access control entry (ACE) to an existing interface access control list (ACL)” or a new ACL to deny inbound DVRMP traffic to interfaces with multicast routing enabled.
Cisco recommends disabling IGMP routing on interfaces where processing IGMP traffic is not necessary by entering IGMP router configuration mode.
This can be done by issuing the router igmp command, selecting the interface using interface , and disabling IGMP routing using router disable.
Last month, Cisco fixed another high severity and actively exploited read-only path traversal vulnerability tracked as CVE-2020-3452 and affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software.
One week earlier, the company issued another set of security updates to address pre-auth critical remote code execution (RCE), authentication bypass, and static default credential vulnerabilities affecting multiple firewall and router devices that could lead to full device takeover.
Also read: Data Protection Framework: Practical Guidance for Businesses
0 Comments