Published on August 31st, 2020 📆 | 3318 Views ⚑0
Cisco warns of actively exploited IOS XR zero-day
Cisco warned on Saturday about a new zero-day vulnerability impacting the Internetwork Operating System (IOS) that ships with its networking equipment.
The vulnerability, tracked as CVE-2020-3566, impacts the Distance Vector Multicast Routing Protocol (DVMRP) feature that ships with the IOS XR version of the operating system.
This version of the OS is usually installed on carrier-grade and data center routers, according to the company’s website.
Cisco says the DVMRP feature contains a bug that allows an unauthenticated, remote attacker to exhaust process memory and crash other processes running on the device. Cisco explains:
“The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.”
Exploitation attempts discovered last week
Cisco says that it discovered last week attackers exploiting this bug. The attacks were detected during a support case the company’s support team was called in to investigate.
“On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild,” Cisco said.
The company said its currently working on developing software updates for IOS XR.
The patches are still a few days away. In the meantime, Cisco has provided several workarounds and mitigations for its customers in order to prevent that any exploitation fail — if they occur.
The Cisco security advisory also includes additional incident response instructions for companies to investigate their logs and see if they’ve been attacked using this IOS zero-day.
It is unclear how attackers are using this bug in the grand scheme of things. They may be using it to crash other processes on the router, such as security mechanisms, and gain access to the device. However, this is only a theory, and companies will need to thoroughly comb their logs after they spot any signs of CVE-2020-3566 exploitation.