Over the weekend, Cisco published vulnerability information (CVE-2020-3566) in the software IOS XR that could be exploited to cause a denial of service.
Cisco has warned that attackers are already attempting to exploit the vulnerability.
The issue exists in the Distance Vector Multicast Routing Protocol (DVMRP) feature of IOS XR. Remote exploitation is possible without authentication, and could result in depleted process memory and instability of other systems, including those of interior and exterior routing protocols.
According to Cisco, the vulnerability exists due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. As a result, an attacker may send customized IGMP traffic to a vulnerable device to exploit the flaw.
“This vulnerability affects any Cisco system that is running any update of Cisco IOS XR Software if an active interface is configured under multicast routing,” the company says.
Cisco explains that administrators can use the show igmp interface command to determine whether multicast routing is available, and the show igmp traffic command to determine whether the system is receiving DVMRP traffic.
“This weakness results in memory exhaustion, which can affect other processes on the system. It is possible to recover the memory consumed by the IGMP process by restarting the IGMP process with the process restart igmp command, ”the company notes.
There are no workarounds to address the issue, but Cisco has released information on various mitigations that customers may apply to remain protected.
Mitigation measures for the vulnerabilities include introducing a rate limiter for the IGMP traffic, which increases the time needed for a successful exploitation, along with adding an access control entry (ACE) to an existing interface access control list ( ACL).
Tracked as CVE-2020-3566, the bug has a CVSS score of 8.6. Cisco reports that attackers are already attempting to exploit the vulnerability.
Multiple iterations of ASR 9000 series aggregation services routers and IOS XR are affected. Cisco would release a software update to fix the bug but did not provide a timeline for when that might happen.
