Cisco warned about 0-day vulnerabilities in IOS XR

Last weekend, Cisco warned about 0-day vulnerabilities found in the IOS XR operating system, which is typically installed on carrier-grade routers and network equipment in data centers.

The vulnerability is related to the DVMRP function, and experts explain that the bug allows a remote unauthorized attacker to provoke a process memory depletion and cause the failure of other processes running on the device (including internal and external routing protocols).

In essence, an attacker can launch a serious DoS attack on vulnerable network equipment.

“An attacker could exploit these vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols”, — inform Cisco engineers.

Moreover, have already been noticed attempts to exploit this problem last week. The attacks were discovered after an unnamed customer contacted support, and the company’s support team, PSIRT (Cisco Product Security Incident Response Team), was brought in to investigate the incident.

Let me remind you that these are not the first problems with IOS XR. We’ve reported that vulnerability in Cisco IOS XE allows invasion in internal networks through a malicious link.

Unfortunately, there are no patches for the 0-day bug yet, and it will take several days to create them.

In the meantime, Cisco offers its customers several workarounds and security methods to prevent attempts to exploit CVE-2020-3566.

• As a first line of defense, it is recommended for customers to implement a rate limiter. This will require that customers understand their current rate of IGMP traffic and set a rate lower than the current average rate.
  
  This will not remove the exploit vector. However, the command will reduce the traffic rate and increase the time necessary for successful exploitation. The customer can use this time to perform recovery actions.
• As a second line of defense, a customer may implement an access control entry (ACE) to an existing interface access control list (ACL). Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface.

Let me also remind you that Cisco deliberately sold vulnerable software to the US government and by court order will pay a fine of $8.6 million