Cisco has released a security advisory on multiple memory exhaustion vulnerabilities in the Cisco IOS XR devices. These vulnerabilities allow an unauthenticated attacker to exhaust the process memory of an affected device.
Distance Vector Multicast Routing Protocol (DVMRP) is a protocol for multicast routing. The vulnerabilities exist in the DVMRP feature of Cisco IOS XR devices. These vulnerabilities are caused by insufficient queue management for Internet Group Management Protocol (IGMP) packets. CVE-2020-3566 and CVE-2020-3569 are assigned to identify these vulnerabilities. An unauthenticated remote attacker can send crafted IGMP traffic to the affected devices to cause process memory to exhaust on an affected device.
All Cisco devices which are running any release of Cisco IOS XR Software are affected by these vulnerabilities if an active interface is configured under multicast routing.
Multiple sources have confirmed that these vulnerabilities are being exploited in the wild by attackers. Indicators of Compromise has been provided by Cisco to detect if a device is exploited by these critical vulnerabilities.
Cisco says that there will be an update that addresses these vulnerabilities. But at this time of now, there is no patch or workaround available. However, Cisco has provided affected the customers 2 mitigations to use depending on their needs.
- Implement a rate limiter. Cisco IOS XR customers need to understand their current rate of IGMP traffic first then set a rate lower than the current average rate with the following command:
lpts pifib hardware police flow igmp rate
- Implement an access control entry (ACE) to an existing interface access control list (ACL) with the command:
ipv4 access-list <acl_name> deny igmp any any dvmrp
Qualys customers can scan their network with QID: 316693 in VULNSIGS-2.4.976-3 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.