Cisco Warns of Active Exploitation of Zero Day Flaws in IOS XR Software Used by Cisco Carrier-Grade Routers

Share this article on:

Two zero-day vulnerabilities in the IOS XR software used by Cisco Network Converging System carrier-grade routers are being actively exploited by hackers. The first attempts at exploitation of the vulnerabilities were detected by Cisco on August 25, 2020.

While patches have yet to be released by Cisco to correct the vulnerabilities, there are workarounds that can be used to reduce the risk of the vulnerabilities being exploited.

The vulnerabilities, tracked as CVE-2020-3566 and CVE-2020-3569, are present in the distance vector multicast routing protocol (DVMRP) and affect all Cisco devices that use the IOS XR version of its Internetworking Operating System, if the software has been configured to use multicast routing. Multicast routing is used to save bandwidth and involves sending certain data in a single stream to multiple recipients.

An unauthenticated attacker could exploit the flaws to exhaust the process memory of a device by remotely sending specially crafted internet group management protocol (IGMP) packets to the device. If the flaws are successfully exploited it would cause memory exhaustion resulting in a denial of service and could cause instability of other processes, such as interior and exterior routing protocols.

The flaws have been assigned a CVSS v3 base score of 8.6 out of 10.Cisco says the risk of exploitation is high, so it is important for patches to be applied as soon as they are released, but for mitigations to be implemented until patches are made available. The mitigations suggested by Cisco are not complete workarounds but will reduce the risk of exploitation.

Users of vulnerable Cisco products should rate limit IGMP traffic. Administrators must determine what their normal rate of IGMP traffic is and should then set a rate lower than the average rate. This will not prevent exploitation of the flaws, but by reducing the traffic rate, the time taken to exploit the flaws will be increased, which would allow administrators extra time to perform recovery actions.

Customers can also implement an access control entry (ACE) to an existing interface control list (ACL) which will help to block attacks, or a new ACL can be created for a specific interface that denies DVMRP traffic inbound on that interface.

Instructions for determining whether multicast routing is enabled and implementing the mitigations are detailed in the Cisco security advisory. Cisco is currently working on patches to correct the flaws.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On