Cisco Alert: Hackers Targeting Zero-Day Flaws in IOS XRRemote Attacker Could Exhaust Device Memory, Causing a Denial of Service
Warning: Hackers are actively attempting to exploit two zero-day flaws in a Cisco operating system that runs its carrier-grade routers.
Cisco has confirmed the flaws in IOS XR, which is a version of its Internetworking Operating System used in multiple Cisco Network Converging System carrier-grade routers, including the CRS, 12000 and ASR9000 series. No patches are yet ready, but Cisco has described workarounds that administrators can put in place to partially mitigate attempts to exploit the flaws.
Cisco says its product security incident response team on Friday "became aware of attempted exploitation of these vulnerabilities in the wild," according to a security alert it issued early Saturday. The alert says the risk posed by the flaws is "high," and that "for affected products, Cisco recommends implementing a mitigation that is appropriate for the customer’s environment."
The vulnerabilities, designated CVE-2020-3566 and CVE-2020-3569, are present in every Cisco device that runs any release of the IOS XR software if the software has been configured to use multicast routing. Multicast routing helps save bandwidth by sending some types of data - such as video - in one stream to multiple recipients.
The flaws exist in the distance vector multicast routing protocol, or DVMRP. An unauthenticated, remote attacker could exhaust the process memory of a device by sending crafted internet group management protocol - aka IGMP - packets to a device, the vendor says. The vulnerabilities score a relatively serious 8.6 on the Common Vulnerability Scoring System.
"A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes," Cisco says in its advisory. "These processes may include, but are not limited to, interior and exterior routing protocols."
Cisco says it spotted in-the-wild attacks on Friday while working to resolve a customer problem.
How big of a risk might these flaws pose? The good news, says Troy Mursch, chief research officer at security firm Bad Packets, is that these flaws give attackers relatively "niche market" capabilities, at least when compared to existing distributed denial-of-service attack options, including DDoS conditions created using UDP amplification or TCP reflection.
A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device.https://t.co/UP6JjCTFDu— Bad Packets (@bad_packets) August 31, 2020
"I could see [these Cisco vulnerabilities] being weaponized, but serious threat actors don't need it in their toolkit yet, if ever," Mursch says.
How to Mitigate
Cisco says it's still preparing patches. In the meantime, it has described steps administrators can take to reduce the risk of the flaws being exploited, although there are no full workarounds - only some partial mitigations.
The first recommendation: Rate limit IGMP traffic. Cisco says administrators will need to know their current, normal rate of IGMP traffic, so they can set a rate that's lower than average. "This command will not remove the exploit vector," Cisco's security advisory states. "However, the command will reduce the traffic rate and increase the time necessary for successful exploitation. The customer can use this time to perform recovery actions."
The advisory adds: "As a second line of defense, a customer may implement an access control entry (ACE) to an existing interface access control list (ACL)," to help block attackers. "Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface." Cisco's security advisory details precisely how that can be accomplished.
Executive Editor Mathew Schwartz contributed to this report.