Cisco has recently disclosed a zero-day IOS XR flaw that has caught the attention of criminals. While patches are in progress, Cisco has recommended workarounds for now.
Cisco IOS XR Zero-Day Under Attack
In a recent security advisory, Cisco has disclosed a zero-day vulnerability in the IOS XR Software. The vulnerability affected the Distance Vector Multicast Routing Protocol (DVMRP) feature of the software.
Describing the vulnerability CVE-2020-3566, Cisco explained that the bug was basically a memory exhaustion flaw. The vendors have labeled this flaw as a high-severity bug with a CVSS score of 8.6.
Exploiting this bug could allow an unauthenticated remote attacker to exhaust the memory of the target device. Elaborating the flaw further, they stated,
The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device.
Whereas, regarding the impact of such an exploit, Cisco explained,
A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.
The flaw broadly the devices running any release of the IOS XR software, if it has enabled multicast routing.
Mitigations Available – Patches Underway
At present, no exact fix is available for the patch. Nonetheless, the vendors have suggested two methods to mitigate the bug.
The first includes rate-limiting IGMP traffic and applying a lower than average rate.
Whereas, the second includes applying access control entry (ACE) to an existing interface access control list (ACL). Or, the customers can create an entirely new ACL that denies DVMRP traffic.
The users must ensure applying these workarounds at the earliest as Cisco has detected exploitation attempts for this bug. Therefore, depending upon the customers’ environment, an appropriate mitigation strategy should be in place.