Cisco warned last weekend that there are two serious memory exhaustion denial of service (DoS) vulnerabilities in the Cisco IOS XR software running on its carrier-grade routers that attackers are trying to exploit.
Cisco’s IOS XR network operating system has been deployed on multiple router platforms, including NCS 540 and 560, NCS 5500, 8000 and ASR 9000 series routers.
Two zero-day vulnerabilities-CVE-2020-3566 and CVE-2020-3569, affect the distance vector multicast routing protocol (DVMRP) function of Cisco IOS XR software, allowing remote unauthenticated attackers to exhaust the target device RAM. This feature runs on Cisco enterprise-class routers for service providers, data centers, and enterprise critical infrastructure.
Unauthorized remote attackers can use vulnerabilities to exploit them by sending elaborate IGMP (Internet Group Management Protocol) traffic to affected devices.
“Successful utilization can cause the device to run out of memory, leading to the instability of other processes. These processes may include, but are not limited to, internal and external routing protocols,” Cisco explained.
To determine whether multicast routing is enabled on the device, the administrator can run the show igmp interface command. For IOS XR routers that do not enable multicast routing, the output will be blank and the device will not be affected by CVE-2020-3566.
Cisco has not released a software update to address this actively exploited security vulnerability, but the company provided mitigation measures in a security bulletin issued over the weekend.
Cisco said that administrators can take measures to partially or completely eliminate exploitable attack vectors to mitigate attacks on the device’s CVE-2020-3566 vulnerability:
Administrators can implement rate limiting to reduce IGMP traffic and delay the use of CVE-2020-3566, while also buying time for recovery.
·A new ACL or ACE can be deployed on the existing ACL access control list to deny DVRMP inbound traffic to the interface that enables multicast routing.
· Enter IGMP router configuration mode and disable IGMP routing on interfaces that do not need to process IGMP traffic. This can be done by entering the router igmp command, using interface to select the interface, and using router disable to disable IGMP routing.
Last month, Cisco fixed another critical read-only path traversal vulnerability that was actively exploited. The vulnerability tracking code is CVE-2020-3452. The vulnerability affects Cisco Adaptive Security Appliance (ASA) software and Cisco Firepower Web service interface of threat defense (FTD) software.
A week ago, the company released another set of security updates to address pre-authentication critical remote code execution (RCE), authentication bypass, and static default credential vulnerabilities affecting multiple firewall and router devices that could lead to the entire device Was taken over.