UPDATE--Cisco is warning customers that attackers are actively targeting two serious, unpatched vulnerabilities in the IOS XR software that runs on many of its routers. The flaws do not allow remote code execution or control of a vulnerable device, but an attacker could use either of the bugs to exhaust the process memory of the device.
The IOS XR operating system runs on a wide range of Cisco routers, including network and edge routers used in enterprises and by service providers. The specific vulnerabilities (CVE-2020-3566 and CVE-2020-3569) Cisco is warning about are in the Distance Vector Multicast Routing Protocol that’s part of IOS XR. Cisco originally issued the advisory for one of the flaws on Aug. 29 and on Monday the company updated it to reflect the discovery of a second bug in the DVMRP implementation in IOS XR.
“These vulnerabilities are due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols,” the Cisco advisory says.
“These vulnerabilities affect any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing.”
Cisco does not have patched versions of IOS XR available yet and there are not any workarounds for the bugs, but there are a number of mitigations customers can implement to lower the risk of exploitation. The baseline mitigation is to implement a rate limit for the volume of IGMP traffic coming into an affected router. The use if rate limiting doesn’t prevent exploitation of the vulnerability, but it increases the amount of time it takes an attacker to exhaust the target device’s memory.
“As a second line of defense, a customer may implement an access control entry (ACE) to an existing interface access control list (ACL). Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface,” the Cisco advisory says.
Also, Cisco recommends that customers disable IGMP routing on interfaces where IGMP processing isn’t needed. The company discovered the vulnerabilities during a customer support engagement.
"On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of these vulnerabilities in the wild," Cisco said in the advisory.
_This article was updated on Sept. 1 to include information on the second vulnerability. _