Cisco Warns Customers About Unpatched Zero-Day DoS Vulnerability in Devices


Cisco warns customers about a high severity zero-day vulnerability in data center routers and networking devices that could cause attackers to trigger memory exhaustion. Though no patch is available yet, the networking giant has issued steps to mitigate the threat posed by attackers. 

Cisco recently discovered a memory exhaustion Denial of Service (DOS) vulnerability in its IOS XR Network OS, widely used in multiple networking gear like data center routers. The vulnerability impacts the Distance Vector Multicast Routing Protocol (DVMRP) of networking operating system (OS) and can allow attackers to remotely exhaust process memory of an affected device without requiring any sort of authentication.

Cisco came to know about the high-severity zero-day vulnerability — CVE-2020-3566Opens a new window on Saturday through an exploitation attempt that was discovered by Cisco’s Technical Assistance Center (TAC) team during a support case. In a statement, Cisco warned customers, “On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of these vulnerabilities in the wild.”

If successfully exploited, an attacker can exhaust the process memory by leveraging the insufficient queue management for Internet Group Management Protocol (IGMP) packets. “An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.”

See Also: Zero-Day Vulnerability on Cisco SMB Routers FixedOpens a new window

CVE-2020-3566 falls in the ‘high’ severity bracket with a CVSS score of 8.6.  Affected routers include those from series NCS 540 & 560, NCS 5500, 8000, and ASR 9000. It can also affect any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing.

Indicators of Compromise

Admins/users can expect the following messages in case of a successful exploit:

RP/0/RSP1/CPU0:Aug 28 03:46:10.375 UTC: raw_ip[399]: %PKT_INFRA-PQMON-6-QUEUE_DROP : Taildrop on XIPC queue 1 owned by igmp (jid=1175)

RP/0/RSP0/CPU0:Aug 28 03:46:10.380 UTC: raw_ip[399]: %PKT_INFRA-PQMON-6-QUEUE_DROP : Taildrop on XIPC queue 1 owned by igmp (jid=1175)

RP/0/RSP0/CPU0:Aug 28 03:49:22.850 UTC: dumper[61]: %OS-DUMPER-7-DUMP_REQUEST : Dump request for process pkg/bin/igmp

RP/0/RSP0/CPU0:Aug 28 03:49:22.851 UTC: dumper[61]: %OS-DUMPER-7-DUMP_ATTRIBUTE : Dump request with attribute 7 for process pkg/bin/igmp

RP/0/RSP0/CPU0:Aug 28 03:49:22.851 UTC: dumper[61]: %OS-DUMPER-4-SIGSEGV : Thread 9 received SIGSEGV – Segmentation Fault

No Patch Available for High-Severity Flaw  

No direct fix for CVE-2020-3566 is made available by Cisco though the company said in an advisoryOpens a new window that they are developing software updates and will release them soon for cloud providers and telcos. Meanwhile, customers are also provided with a few steps to mitigate the impact of the vulnerability.  

  • Implementation of a rate-limiter to reduce IGMP traffic rates with the command:

RP/0/0/CPU0:router(config)# lpts pifib hardware police flow igmp rate <value>

This will increase the time needed to successfully exploit the said flaw 

  • Implementation of an access control entry (ACE) to deny inbound DVMRP traffic with:

RP/0/0/CPU0:router(config)# ipv4 access-list <acl_name> deny igmp any any dvmrp

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!