Telecoms and data-center operators take note: attackers are actively trying to exploit a high-severity zeroday vulnerability in Cisco networking devices, the company warned over the weekend.
The security flaw resides in Cisco’s iOS XR Software, an operating system for carrier-grade routers and other networking devices used by telecommunications and data-center providers. In an advisory published on Saturday, the networking-gear manufacturer said that a patch is not yet available and provided no timeline for when one would be released.
Memory exhaustion
CVE-2020-3566, as the vulnerability is tracked, allows attackers to “cause memory exhaustion, resulting in instability of other processes” including but not limited to interior and exterior routing protocols. Exploits work by sending maliciously crafted Internet Group Management Protocol traffic. Normally, IGMP communications are used by one-to-many networking applications to conserve resources when streaming video and related content. A flaw in the way iOS XR Software queues IGMP packets makes it possible to consume memory resources.
“An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device,” Saturday’s advisory stated. “A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.”
Independent researcher Troy Mursch, who monitors active Internet attacks using honeypots—or simulated production networks belonging to organizations and consumers—told me he had seen limited signs of exploitation attempts.
“There was some IGMP scanning activity last week, but we haven’t seen a widespread type of attack,” he said.
He said the most likely purpose of the attacks would be to cause denial of services that, by definition, prevent the intended use of products, often to huge swaths of the Internet.
Attacks have the potential to be severe because they threaten high-availability servers where reliability and security are paramount. To be vulnerable, a device must be configured to accept traffic that uses DVMRP, short for the Distance Vector Multicast Routing Protocol. Networks use DVMRP to share information between routers in the transport of IP multicast packets. Networks that have no need of DVMRP often turn it off.
Cisco didn’t elaborate on what the attacks were doing beyond saying they could exhaust memory that would disrupt various processes. Cisco also didn’t say if any of the exploit attempts are succeeding. The company rated the severity of the vulnerability “high” with a Common Vulnerability Scoring System tally of 8.6 out of a total of 10. The IGMP packet-queuing flaw resides in the Distance Vector Multicast Routing Protocol folded into iOS XR.
The advisory provides indicators that users can check to look for evidence they’re under attack. The document says there are no workarounds available to use until a patch can be installed. It does, however, list things administrators can do to mitigate the effects.
