Zero-day flaw allows attacking Cisco IOS XR devices

by Julie Splinters - - 2020-09-02

Recently discovered zero-day flaw makes Cisco devices insecure

Cisco zero-day flaw discovered

Recently, Cisco warned about a new zero-day vulnerability in its IOS XR, called CVE-2020-3566. This flaw was found in the Distance Vector Multicast Routing Protocol (DVMRP) feature on August 28, 2020. A zero-day vulnerability^[1] is being exploited by allowing a remote, authenticated attacker to perform memory exhaustion attacks and crash other processes running on the Cisco IOS XR.

For example, the attacker can crash security mechanisms and gain access to the device.^[2] However, this possibility is just a theory and it is unclear how this bug is really used by attackers. Cisco explained^[3] how this bug makes IOS XR insecure:

The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.

The risk posed by this flaw is “high” but patches are still in progress

According to the National Vulnerability Database (NVD) information,^[4] the risk posed by CVE-2020-3566 vulnerability is “high”. This flaw is in all Cisco devices with IOS XR software if the software was configured to use multicast routing.

Cisco reported that the attacks were detected last week during the investigation of a support case the company’s team was working on. The company assured customers that its currently trying to develop software updates for IOS XR devices. But it’s still unclear when these flaw fixes will be available.

Firstly Cisco recommends administrators to determine whether the device is receiving DVMRP traffic or not. If after “show igmp traffic” command the “DVMRP packets” line shows zero in the first column and remains as zero on subsequent execution of the command, then the IOS XR software is not receiving DVMRP traffic and is safe from CVE-2020-3566 vulnerability.

Steps how to mitigate the zero-day flaw

While this problem is still not fixed, Cisco has described detailed advisory with multiple mitigation steps for the administrators. There are possible ways to reduce the risk of CVE-2020-3566 vulnerability exploitation. The company recommends to:

Implement the rate limiter. Cisco explains that customers need to understand their current rate of IGMP traffic, so they can set a lower rate than average. The company says:^[5]

This command will not remove the exploit vector. However, the command will reduce the traffic rate and increase the time necessary for successful exploitation. The customer can use this time to perform recovery actions.

Implement an access control entry (ACE) to interface the access control list (ACL). This step may help to block the attackers. Cisco explains:

Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface.

These steps are only partial mitigations and not the full workarounds. It is clear that while Cisco is still trying to work on necessary software updates, IOS XR software administrators should be very careful.

About the author

Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References

^ Zero-day (computing). Wikipedia. The free encyclopedia.
^ Ravie Lakshmanan. Cisco Issues Warning Over IOS XR Zero-Day Flaw Being Targeted in the Wild. The Hacker News. Cybersecurity news.
^ Catalin Cimpanu. Cisco warns of actively exploited IOS XR zero-day. ZDNet. News articles.
^ CVE-2020-3566 Detail. NVD. National Vulnerability Database.
^ Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities. Cisco Tools. Cisco Security Advisory.