Cisco IOS Remote Memory Exhaustion Vulnerability

A vulnerability in Cisco's IOS XR software is being exploited by unknown attackers.

Threat ID:: CC-3611
Threat Severity:: Low
Threat Vector:: Insecure network
Published:: 1 September 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A vulnerability in Cisco's IOS XR software is being exploited by unknown attackers.

Affected platforms

The following platforms are known to be affected:

Versions: all Cisco devices running any Cisco IOS XR release if an active interface is configured under multicast routing

Cisco IOS XR

Threat details

Introduction

Cisco has released a details of a vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of their IOS XR software. This vulnerability affects Cisco devices running IOS XR software that have an active interface configured under multicast routing. A remote attacker could exploit this vulnerability to exhaust process memory of an affected device.

Active exploitation

Please note that active exploits for this vulnerability have been observed in the wild.

It is not currently clear if the observed exploits are publicly available.

Remediation advice

Cisco has confirmed that updates are being produced to fully address this vulnerability in all supported IOX XR platforms. Affected organisation are encouraged to apply any relevant updates as soon as they become available.

Cisco has also identified a number of mitigating steps that can be taken to reduce the possibility of exploitation:

Implement an IGMP traffic rate limit using the following command:

RP/0/0/CPU0:router(config)# lpts pifib hardware police flow igmp rate <value lower than current average rate>

Implement suitable access control lists to deny DVMRP traffic using the following command:

RP/0/0/CPU0:router(config)# ipv4 access-list <acl_name> deny igmp any any dvmrp

Indicators of compromise

Exploitation log messages

Exploitation of CVE-2020-3566 will result in the following error messages being generated in system logs:

RP/0/RSP1/CPU0:Aug 28 03:46:10.375 UTC: raw_ip[399]: %PKT_INFRA-PQMON-6-QUEUE_DROP : Taildrop on XIPC queue 1 owned by igmp (jid=1175)
RP/0/RSP0/CPU0:Aug 28 03:46:10.380 UTC: raw_ip[399]: %PKT_INFRA-PQMON-6-QUEUE_DROP : Taildrop on XIPC queue 1 owned by igmp (jid=1175
RP/0/RSP0/CPU0:Aug 28 03:49:22.850 UTC: dumper[61]: %OS-DUMPER-7-DUMP_REQUEST : Dump request for process pkg/bin/igmp
RP/0/RSP0/CPU0:Aug 28 03:49:22.851 UTC: dumper[61]: %OS-DUMPER-7-DUMP_ATTRIBUTE : Dump request with attribute 7 for process pkg/bin/igmp
RP/0/RSP0/CPU0:Aug 28 03:49:22.851 UTC: dumper[61]: %OS-DUMPER-4-SIGSEGV : Thread 9 received SIGSEGV - Segmentation Fault

Definitive source of threat updates

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz

CVE Vulnerabilities

Status Master

CVE-2020-3566

A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols. Cisco will release software updates that address this vulnerability.

Last edited: 1 September 2020 12:16 pm