Breach Notification , Endpoint Security , Governance & Risk Management

Cisco Alert: Hackers Targeting Zero-Day Flaws in IOS XR

Remote Attacker Could Exhaust Device Memory, Causing a Denial of Service
Cisco Alert: Hackers Targeting Zero-Day Flaws in IOS XR
Cisco is prepping patches for IOS XR, which runs on its carrier-grade routers, including the ASR 9000 series (pictured).

Warning: Hackers are actively attempting to exploit two zero-day flaws in a Cisco operating system that runs its carrier-grade routers.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Cisco has confirmed the flaws in IOS XR, which is a version of its Internetworking Operating System used in multiple Cisco Network Converging System carrier-grade routers, including the CRS, 12000 and ASR9000 series. No patches are yet ready, but Cisco has described workarounds that administrators can put in place to partially mitigate attempts to exploit the flaws.

Cisco says its product security incident response team on Friday "became aware of attempted exploitation of these vulnerabilities in the wild," according to a security alert it issued early Saturday. The alert says the risk posed by the flaws is "high," and that "for affected products, Cisco recommends implementing a mitigation that is appropriate for the customer’s environment."

The vulnerabilities, designated CVE-2020-3566 and CVE-2020-3569, are present in every Cisco device that runs any release of the IOS XR software if the software has been configured to use multicast routing. Multicast routing helps save bandwidth by sending some types of data - such as video - in one stream to multiple recipients.

The flaws exist in the distance vector multicast routing protocol, or DVMRP. An unauthenticated, remote attacker could exhaust the process memory of a device by sending crafted internet group management protocol - aka IGMP - packets to a device, the vendor says. The vulnerabilities score a relatively serious 8.6 on the Common Vulnerability Scoring System.

"A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes," Cisco says in its advisory. "These processes may include, but are not limited to, interior and exterior routing protocols."

In-the-Wild Attacks

Cisco says it spotted in-the-wild attacks on Friday while working to resolve a customer problem.

How big of a risk might these flaws pose? The good news, says Troy Mursch, chief research officer at security firm Bad Packets, is that these flaws give attackers relatively "niche market" capabilities, at least when compared to existing distributed denial-of-service attack options, including DDoS conditions created using UDP amplification or TCP reflection.

"I could see [these Cisco vulnerabilities] being weaponized, but serious threat actors don't need it in their toolkit yet, if ever," Mursch says.

How to Mitigate

Cisco says it's still preparing patches. In the meantime, it has described steps administrators can take to reduce the risk of the flaws being exploited, although there are no full workarounds - only some partial mitigations.

The first recommendation: Rate limit IGMP traffic. Cisco says administrators will need to know their current, normal rate of IGMP traffic, so they can set a rate that's lower than average. "This command will not remove the exploit vector," Cisco's security advisory states. "However, the command will reduce the traffic rate and increase the time necessary for successful exploitation. The customer can use this time to perform recovery actions."

The advisory adds: "As a second line of defense, a customer may implement an access control entry (ACE) to an existing interface access control list (ACL)," to help block attackers. "Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface." Cisco's security advisory details precisely how that can be accomplished.

Executive Editor Mathew Schwartz contributed to this report.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.