Attackers are attempting to overwhelm all available memory via specially crafted IGMP packets
Hackers are actively trying to exploit several high-severity memory exhaustion weaknesses in Cisco software that runs carrier-class routers, the company has warned.
Multiple vulnerabilities have been detected in the distance vector multicast routing protocol (DVMRP) feature of Cisco IOS XR Software, which runs routers and other network devices. If it exploited they “could allow an unauthenticated, remote attacker to exhaust process memory of an affected device,” the company said.
Cisco’s security advisory adds that its team “became aware of attempted exploitation of these vulnerabilities in the wild” on August 28. The bugs have been allocated CVE-2020-3566 and CVE-2020-3569, with a base CVSS score of a “high” 8.6.
Admins can determine whether multicast routing is enabled on a device by issuing the show igmp interface command. Guidance is here.
How This Vulnerability Could be Exploited
The vulnerabilities affect any Cisco device that is running any release of Cisco IOS XR Software, if an active interface is configured under multicast routing.
They are caused by insufficient queue management for Internet Group Management Protocol (IGMP) packets.
An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.
Patch on the Way, Take Mitigating Action
Cisco says it will release a patch to address these vulnerabilities in due course, but in the mean time there aren’t any workarounds available.
It is advising users to take mitigating steps, such as implementing a rate limiter and setting a traffic rate lower than the average for their network.
Anyone have more info on Cisco CVE-2020-3566 IOS XR actually being exploited? A few articles list "its being exploited" but one of the requirements(according to Cisco) is IGMP enabled which would greatly limit targets to things like cable tv providers/switched digital video?
— Justin (@HackingLZ) September 1, 2020
“This command will not remove the exploit vector,” Cisco explains. “However, the command will reduce the traffic rate and increase the time necessary for successful exploitation. The customer can use this time to perform recovery actions.
“As a second line of defense, a customer may implement an access control entry to an existing interface access control list (ACL). Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface.”
The following example creates an ACL and denies DVMRP traffic:
RP/0/0/CPU0:router(config)# ipv4 access-list <acl_name> deny igmp any any dvmrp