Zero Day Vulnerabilities Found in IOS XR Software Utilized by Cisco Carrier-Grade Routers

Hackers are actively exploiting two zero-day vulnerabilities found in the IOS XR software that is used in Cisco Network Converging System carrier-grade routers. Cisco discovered the initial attempts of exploiting the vulnerabilities on August 25, 2020.

While Cisco has not released patches yet to resolve the vulnerabilities, there are ways to minimize the chances of vulnerabilities exploitation.

The CVE-2020-3566 and CVE-2020-3569 vulnerabilities are identified in the distance vector multicast routing protocol or DVMRP. They affect all Cisco devices installed with the IOS XR version of the Internetworking Operating System that is configured to utilize multicast routing. The purpose of using multicast routing is to save bandwidth and to use a single stream to send some data to several recipients.

An unauthenticated hacker can exploit the vulnerabilities by wirelessly sending a specific internet group management protocol or IGMP packets to the device and drain its process memory. If the hacker succeeds at exploiting the vulnerabilities, the device will suffer memory exhaustion, which results in a denial of service. That could make the other process like the exterior and interior routing protocols unstable.

The vulnerabilities have an assigned CVSS v3 base rating of 8.6 out of 10, which means a high risk of exploitation. Therefore, patches must be applied immediately upon release. In the meantime, implement the mitigations until the patches are available. Cisco suggested mitigations, not complete workarounds, which can minimize the risk of exploitation.

End-users of vulnerable Cisco products must restrict the rate of IGMP traffic. Administrators need to know the normal IGMP traffic rate first in order to set a rate below the average rate. Although vulnerabilities exploitation won’t be prevented, it will help reduce the traffic rate and delay the exploitation of vulnerabilities. That would give administrators more time to implement recovery steps.

To help block attacks, end-users could likewise use an access control entry (ACE) to the current existing interface control list (ACL). It’s also possible to create a new ACL for a particular interface that blocks inbound DVMRP traffic using that interface.

Cisco has issued a security advisory to help users know if their devices have multicast routing enabled and implement the mitigations. The company is also creating patches that would fix the vulnerabilities. Cisco is currently working on patches to correct the vulnerabilities.