CVE-2020-3566 - Denial of service vulnerability in Cisco IOS XR
2020-08-29T00:00:00
ID AKB:0526BD48-C539-4FE8-AC29-3DE007A30DD2 Type attackerkb Reporter AttackerKB Modified 2020-09-01T00:00:00
Description
A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols. Cisco will release software updates that address this vulnerability.
Recent assessments:
ccondon-r7 at August 31, 2020 11:33pm UTC reported:
At face value, this doesn’t seem to be a terribly high-value vuln from an attacker point of view. That’s not to say that impact to availability and disruption of business processes isn’t high-impact for infrastructure and service providers, just that the vulnerability is a denial of service that currently doesn’t look to offer attackers useful access. That changes pretty quickly if it turns out DoS exploitation gives rise to a different threat vector.
Assessed Attacker Value: 2
{"id": "AKB:0526BD48-C539-4FE8-AC29-3DE007A30DD2", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2020-3566 - Denial of service vulnerability in Cisco IOS XR", "description": "A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols. Cisco will release software updates that address this vulnerability.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at August 31, 2020 11:33pm UTC reported:\n\nAt face value, this doesn\u2019t seem to be a terribly high-value vuln from an attacker point of view. That\u2019s not to say that impact to availability and disruption of business processes isn\u2019t high-impact for infrastructure and service providers, just that the vulnerability is a denial of service that currently doesn\u2019t look to offer attackers useful access. That changes pretty quickly if it turns out DoS exploitation gives rise to a different threat vector.\n\nAssessed Attacker Value: 2 \n\n", "published": "2020-08-29T00:00:00", "modified": "2020-09-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "href": "https://attackerkb.com/topics/WcmktcqDwq/cve-2020-3566---denial-of-service-vulnerability-in-cisco-ios-xr", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3566", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz"], "cvelist": ["CVE-2020-3566", "CVE-2020-3569"], "lastseen": "2020-11-18T06:38:53", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-3569", "CVE-2020-3566"]}, {"type": "attackerkb", "idList": ["AKB:86ACD634-7733-484A-B16C-162A358D5012"]}, {"type": "cisco", "idList": ["CISCO-SA-IOSXR-DVMRP-MEMEXH-DSMPDVFZ"]}, {"type": "nessus", "idList": ["CISCO-SA-IOSXR-DVMRP-MEMEXH-DSMPDVFZ.NASL"]}, {"type": "thn", "idList": ["THN:44968C989E8FAA9553813B59B28EB1A0", "THN:AE5C9C5AE69776FE2A0DA3926B5E1BE4"]}, {"type": "cisa", "idList": ["CISA:28A3A0611EB6F0D5C62CF9B19D973871"]}, {"type": "threatpost", "idList": ["THREATPOST:A5D4FD6C2281AE395B821A8D0EB5736D"]}], "modified": "2020-11-18T06:38:53", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2020-11-18T06:38:53", "rev": 2}, "vulnersScore": 6.1}, "attackerkb": {"attackerValue": 2}, "wildExploited": true}
{"cve": [{"lastseen": "2020-10-07T10:52:01", "description": "Multiple vulnerabilities in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to either immediately crash the Internet Group Management Protocol (IGMP) process or make it consume available memory and eventually crash. The memory consumption may negatively impact other processes that are running on the device. These vulnerabilities are due to the incorrect handling of IGMP packets. An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to immediately crash the IGMP process or cause memory exhaustion, resulting in other processes becoming unstable. These processes may include, but are not limited to, interior and exterior routing protocols. Cisco will release software updates that address these vulnerabilities.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-09-23T01:15:00", "title": "CVE-2020-3569", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3569"], "modified": "2020-10-06T13:19:00", "cpe": ["cpe:/o:cisco:ios_xr:-"], "id": "CVE-2020-3569", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3569", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:cisco:ios_xr:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:55:55", "description": "A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols. Cisco will release software updates that address this vulnerability.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-08-29T16:15:00", "title": "CVE-2020-3566", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3566"], "modified": "2020-09-04T17:04:00", "cpe": ["cpe:/o:cisco:ios_xr:6.4.2"], "id": "CVE-2020-3566", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3566", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:cisco:ios_xr:6.4.2:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-18T06:38:48", "bulletinFamily": "info", "cvelist": ["CVE-2020-3566", "CVE-2020-3569"], "description": "Multiple vulnerabilities in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to either immediately crash the Internet Group Management Protocol (IGMP) process or make it consume available memory and eventually crash. The memory consumption may negatively impact other processes that are running on the device. These vulnerabilities are due to the incorrect handling of IGMP packets. An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to immediately crash the IGMP process or cause memory exhaustion, resulting in other processes becoming unstable. These processes may include, but are not limited to, interior and exterior routing protocols. Cisco will release software updates that address these vulnerabilities.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at September 01, 2020 3:08pm UTC reported:\n\nSame initial evaluation as [CVE-2020-3566](<https://attackerkb.com/topics/WcmktcqDwq/cve-2020-3566---denial-of-service-vulnerability-in-cisco-ios-xr?referrer=2020-3566>)\u2014namely that successful exploitation doesn\u2019t appear thus far to yield useful access for attackers, though disruption to critical business services is still a major concern for service providers. If the DoS enables a new threat vector, attacker value on these vulns rises. I\u2019m going to leave exploitability blank for the time being. Rapid7 [has analysis here](<https://attackerkb.com/topics/WcmktcqDwq/cve-2020-3566---denial-of-service-vulnerability-in-cisco-ios-xr?#rapid7-analysis>).\n\nAssessed Attacker Value: 2 \n\n", "modified": "2020-10-07T00:00:00", "published": "2020-08-29T00:00:00", "id": "AKB:86ACD634-7733-484A-B16C-162A358D5012", "href": "https://attackerkb.com/topics/jVhXIqpY6M/cve-2020-3569---denial-of-service-vulnerability-in-cisco-ios-xr", "type": "attackerkb", "title": "CVE-2020-3569 - Denial of service vulnerability in Cisco IOS XR", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "thn": [{"lastseen": "2020-09-30T17:44:10", "bulletinFamily": "info", "cvelist": ["CVE-2020-3566", "CVE-2020-3569"], "description": "[](<https://thehackernews.com/images/-7dJ8729lris/X3S1xapYRQI/AAAAAAAAA0s/15lM6-BL3cUofgc_BiwviJsN3gPoc2-9gCLcBGAsYHQ/s0/cisco-ios-exploit.png>)\n\nCisco yesterday released security patches for two high-severity vulnerabilities affecting its IOS XR software that were found exploited in the wild a month ago.\n\nTracked as **CVE-2020-3566** and **CVE-2020-3569**, details for both [zero-day unauthenticated DoS vulnerabilities](<https://thehackernews.com/2020/09/cisco-issue-warning-over-ios-xr-zero.html>) were made public by Cisco late last month when the company found hackers actively exploiting Cisco IOS XR Software that is installed on a range of Cisco's carrier-grade and data center routers.\n\nBoth DoS vulnerabilities resided in Cisco IOS XR Software's Distance Vector Multicast Routing Protocol (DVMRP) feature and existed due to incorrect implementation of queue management for Internet Group Management Protocol (IGMP) packets on affected devices.\n\n[](<https://go.thn.li/contrast> \"cybersecurity\" )\n\nIGMP is a communication protocol typically used by hosts and adjacent routers to efficiently use resources for multicasting applications when supporting streaming content such as online video streaming and gaming.\n\n\"These vulnerabilities affect any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing and it is receiving DVMRP traffic,\" Cisco said in an [advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz>).\n\n\"An administrator can determine whether multicast routing is enabled on a device by issuing the show igmp interface command.\"\n\n[](<https://thehackernews.com/images/-IThGfArWPTk/X3S0z_AWe7I/AAAAAAAAA0c/VGp98eGS1OY_qZJXi39KnOKkXcxt4jn1QCLcBGAsYHQ/s728/cisco-patch.jpg>)\n\nSuccessful exploitation of these vulnerabilities could allow remote unauthenticated hackers to send specially crafted IGMP packets to affected devices to either immediately crash the IGMP process or exhaust process memory and eventually crash.\n\nThe memory consumption may negatively result in instability of other processes running on the device, including routing protocols for both internal and external networks.\n\nThe vulnerabilities affect all Cisco devices running any release of Cisco IOS XR Software if an active interface is configured under multicast routing, and it is receiving DVMRP traffic.\n\nAt the time Cisco initially made these vulnerabilities public, the company provided some mitigation to resolve the issues and block the active exploitation attempts, but now it has finally released Software Maintenance Upgrades (SMUs) to address the vulnerabilities completely.\n\n[](<https://thehackernews.com/images/-y01bfXBWuCk/X3S1UKoUUII/AAAAAAAAA0k/ah8WEUkCBvMFsJkwWRmpKI9hgJ9MAMqjQCLcBGAsYHQ/s728/cisco-software-update.jpg>)\n\n\"Although there are no workarounds for these vulnerabilities, there are multiple mitigations available to customers depending on their needs,\" the company said.\n\n\"When considering mitigations, it should be understood that for the memory exhaustion case, the rate limiter and the access control methods are effective. For the immediate IGMP process crash case, only the access control method is effective.\"\n\nCisco customers are highly recommended to make sure they are running the latest Cisco IOS XR Software release earlier than 6.6.3 and Cisco IOS XR Software release 6.6.3 and later.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-09-30T16:49:49", "published": "2020-09-30T16:49:00", "id": "THN:AE5C9C5AE69776FE2A0DA3926B5E1BE4", "href": "https://thehackernews.com/2020/09/cisco.html", "type": "thn", "title": "Cisco Issues Patches For 2 High-Severity IOS XR Flaws Under Active Attacks", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-09-01T08:37:07", "bulletinFamily": "info", "cvelist": ["CVE-2020-3566"], "description": "[](<https://thehackernews.com/images/-ETAiGjhm3A4/X036jrsU_tI/AAAAAAAAAto/3ItBdoxr2awAtb7fZjY--1eIAkm-Ug8YACLcBGAsYHQ/s728-e100/cisco.jpg>)\n\nCisco has warned of an active zero-day vulnerability in its router software that's being exploited in the wild and could allow a remote, authenticated attacker to carry out memory exhaustion attacks on an affected device. \n \n\"An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device,\" Cisco said in an advisory posted over the weekend. \n \n\"A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.\" \n\n\n[](<https://go.thn.li/contrast> \"cybersecurity\" )\n\n \nAlthough the company said it will release software fixes to address the flaw, it did not share a timeline for when it plans to make it available. The networking equipment maker said it became aware of attempts to exploit the flaw on August 28. \n \nTracked as [CVE-2020-3566](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz>), the severity of the vulnerability has been rated \"high\" with a Common Vulnerability Scoring System score of 8.6 out of a maximum 10. \n \nThe bug affects all Cisco gear running its [Internetwork Operating System](<https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xr-software/index.html>) (IOS) XR Software and stems from an issue in the Distance Vector Multicast Routing Protocol ([DVMRP](<https://en.wikipedia.org/wiki/Distance_Vector_Multicast_Routing_Protocol>)) feature that makes it possible for an adversary to send specially crafted Internet Group Management Protocol ([IGMP](<https://en.wikipedia.org/wiki/Internet_Group_Management_Protocol>)) packets to the susceptible device in question and exhaust process memory. \n \nIGMP is typically used to efficiently use resources for multicasting applications when supporting streaming content such as online video streaming and gaming. The flaw lies in the manner IOS XR Software queues these packets, potentially causing memory exhaustion and disruption of other processes. \n \nWhile there are no workarounds to resolve the issue, Cisco recommends administrators to run the \"show igmp interface\" command to determine if multicast routing is enabled. \n\n\n \n\"If the output of 'show igmp interface' is empty, multicast routing is not enabled and the device is not affected by these vulnerabilities,\" the company said. \n \nAdditionally, admins can also check the system logs for signs of memory exhaustion and implement rate-limiting to reduce IGMP traffic rates to mitigate the risk. \n \nCisco didn't elaborate on how the attackers were exploiting this vulnerability and with what goal in mind. \n \nBut given that resource exhaustion attacks are also a form of denial-of-service attacks, it wouldn't be surprising if bad actors are leveraging the flaw to interfere with the regular functioning of the system.\n", "modified": "2020-09-01T07:40:02", "published": "2020-09-01T07:39:00", "id": "THN:44968C989E8FAA9553813B59B28EB1A0", "href": "https://thehackernews.com/2020/09/cisco-issue-warning-over-ios-xr-zero.html", "type": "thn", "title": "Cisco Issues Warning Over IOS XR Zero-Day Flaw Being Targeted in the Wild", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisco": [{"lastseen": "2020-12-24T11:40:25", "bulletinFamily": "software", "cvelist": ["CVE-2020-3566", "CVE-2020-3569"], "description": "Multiple vulnerabilities in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to either immediately crash the Internet Group Management Protocol (IGMP) process or make it consume available memory and eventually crash. The memory consumption may negatively impact other processes that are running on the device.\n\nThese vulnerabilities are due to the incorrect handling of IGMP packets. An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to immediately crash the IGMP process or cause memory exhaustion, resulting in other processes becoming unstable. These processes may include, but are not limited to, interior and exterior routing protocols.\n\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. There are multiple mitigations available to customers depending on their needs.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz\"]", "modified": "2020-09-28T21:36:50", "published": "2020-08-29T03:00:00", "id": "CISCO-SA-IOSXR-DVMRP-MEMEXH-DSMPDVFZ", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz", "type": "cisco", "title": "Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities", "cvss": {"score": 8.6, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}}], "nessus": [{"lastseen": "2020-10-03T13:23:38", "description": "According to its self-reported configuration, Cisco IOS XR Software is affected by multiple vulnerabilities:\n\n - Multiple denial of service (DoS) vulnerabilities exist in the Distance Vector Multicast Routing Protocol (DVMRP)\n feature due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An \n unauthenticated, remote attacker could exploit this issue by sending crafted IGMP traffic to an affected\n device, to cause memory exhaustion resulting in instability of other processes. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber and configuration.", "edition": 5, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-09-01T00:00:00", "title": "Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities (cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-3569", "CVE-2020-3566"], "modified": "2020-09-01T00:00:00", "cpe": ["cpe:/o:cisco:ios_xr"], "id": "CISCO-SA-IOSXR-DVMRP-MEMEXH-DSMPDVFZ.NASL", "href": "https://www.tenable.com/plugins/nessus/140111", "sourceData": "#TRUSTED 983b91e31669a865f91e102bd45d66e5fd6d0d54f2d89bafa5b64be4b10c27c19faf77d4f161cf3a732fe8d56f43cd98fdcbfdd16d1ca0105ef2480c78009ce60f7a5e08967176d45604f8b1736d9bfda04dd025a726a70a45a122c2efb47574434f5791c092175a1b6ddaa930a3863fd757c0c956843ed00afeb9cd870038cdab0cbddb61cc0ca2e72e52f5c69ac9da88d659689024a04dd363e932b4bfc3631829505684883421334941b28f93a92d0f71b4367617569fed0b9c2ab599cb7e5caf874e9db72482830b84f41da92b72eadab5703c2d970ddb7edf76069cdb131fa275904b0664143c60a45a194caac653ae63b64a0600219fee997959b8d344f32ec4457dc41c93c33a9f763719e35aa0cd5d6f5a55c76a451528aab8a7aeb605d8b5255660ea7ccc6f5d8a6e43acf41fa84e9f836bb417bdff41cc3494cca658ea457c59d427edba986abcd939f2dd24f6a072f68b9d94391e8eaa124bfe61e51a40302192d1365f098b1a9afd0a2ece4a4f353a254b3b39a8291f3df459eb4715143884fdb5f0d16022d1d21a6f520791366eccf0bbd0d8ff7391917353081d977231af8bf05b79945de8e97775b78adde9b9c75bd6c9e76b2ae4e80d82ee642a3ab493fe27cc61e05630d126c88291e557843b2a2ee18c345f4170ea794b664b590a7d1655770d274090b353f2c519e4457f630b9790b3ec8a5e74bb298f\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140111);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/02\");\n\n script_cve_id(\"CVE-2020-3566\", \"CVE-2020-3569\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr86414\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvv54838\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz\");\n script_xref(name:\"IAVA\", value:\"2020-A-0442\");\n\n script_name(english:\"Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities (cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported configuration, Cisco IOS XR Software is affected by multiple vulnerabilities:\n\n - Multiple denial of service (DoS) vulnerabilities exist in the Distance Vector Multicast Routing Protocol (DVMRP)\n feature due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An \n unauthenticated, remote attacker could exploit this issue by sending crafted IGMP traffic to an affected\n device, to cause memory exhaustion resulting in instability of other processes. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber and configuration.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?44ee1673\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr86414\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv54838\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvr86414, CSCvv54838\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3566\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(400);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios_xr\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ios_xr_version.nasl\", \"cisco_enum_smu.nasl\");\n script_require_keys(\"Host/Cisco/IOS-XR/Version\");\n\n exit(0);\n}\n\ninclude('cisco_workarounds.inc');\ninclude('ccf.inc');\n\nproduct_info = cisco::get_product_info(name:'Cisco IOS XR');\n\nworkarounds = make_list(CISCO_WORKAROUNDS['disable_igmp_multicast_routing']);\n\nvuln_ranges = [ {'min_ver':'0.0', 'fix_ver':'9999'} ];\n\nmodel = get_kb_item('CISCO/model');\nif (empty_or_null(model))\n model = product_info['model'];\nmodel = toupper(model);\n\nsmus = make_array();\n\nif ('NCS55' >< model)\n{\n smus['6.5.2'] = 'CSCvv60110';\n}\nelse if ('ASR9K' >< model || model =~ \"ASR9[0-9]{3}\")\n{\n smus['6.1.4'] = 'CSCvv60110';\n smus['6.2.3'] = 'CSCvv60110';\n smus['6.3.3'] = 'CSCvv60110';\n smus['6.4.2'] = 'CSCvv60110';\n smus['6.5.3'] = 'CSCvv60110';\n smus['6.6.2'] = 'CSCvv60110';\n smus['6.6.3'] = 'CSCvv54838';\n smus['7.0.2'] = 'CSCvv54838';\n smus['7.1.15'] = 'CSCvv54838';\n smus['7.1.2'] = 'CSCvv54838';\n}\nelse if ('CRS' >< model)\n{\n smus['6.1.4'] = 'CSCvv60110';\n smus['6.4.2'] = 'CSCvv60110';\n smus['6.4.3'] = 'CSCvv60110';\n}\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvr86414, CSCvv54838',\n 'fix' , 'See vendor advisory',\n 'cmds' , make_list('show igmp interface')\n);\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n workarounds:workarounds,\n vuln_ranges:vuln_ranges,\n smus:smus\n);\n\n\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "cisa": [{"lastseen": "2020-12-18T18:06:32", "bulletinFamily": "info", "cvelist": ["CVE-2020-3566"], "description": "Cisco has released a security advisory on a vulnerability\u2014CVE-2020-3566\u2014in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR software. This vulnerability affects Cisco devices running IOS XR software that have an active interface configured under multicast routing. A remote attacker could exploit this vulnerability to exhaust process memory of an affected device. This vulnerability was detected in exploits in the wild.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the [Cisco Security Advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz>) and take the following actions.\n\n * Implement the recommended mitigations.\n * Search for indicators of compromise.\n * Apply the necessary update, when available.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ncas/current-activity/2020/08/31/cisco-releases-security-advisory-dvmrp-vulnerability-ios-xr>); we'd welcome your feedback.\n", "modified": "2020-08-31T00:00:00", "published": "2020-08-31T00:00:00", "id": "CISA:28A3A0611EB6F0D5C62CF9B19D973871", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/08/31/cisco-releases-security-advisory-dvmrp-vulnerability-ios-xr", "type": "cisa", "title": "Cisco Releases Security Advisory for DVMRP Vulnerability in IOS XR Software", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "threatpost": [{"lastseen": "2020-10-14T22:20:38", "bulletinFamily": "info", "cvelist": ["CVE-2020-3566", "CVE-2020-5135"], "description": "Cisco Systems says hackers are actively exploiting previously unpatched vulnerabilities in its carrier-grade routers that could allow adversaries to crash or severely disrupt devices.\n\nThe vulnerabilities exist in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software and could allow an unauthenticated, remote attacker to immediately crash the Internet Group Management Protocol (IGMP) process, the company warned [in an advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz>) over the weekend.\n\nThe flaw, tracked as [CVE-2020-3566](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz>), also allows attackers to make devices consume available memory and eventually crash, something that can \u201cnegatively impact other processes that are running on the device,\u201d the company warned. \n[](<https://threatpost.com/newsletter-sign/>) \nIOS XR Software runs many of Cisco\u2019s carrier-grade network routers, including the [CRS](<https://en.wikipedia.org/wiki/Carrier_Routing_System>) series, [12000](<https://en.wikipedia.org/wiki/Cisco_12000>) series, and [ASR9000](<https://en.wikipedia.org/wiki/ASR9000>) series. The vulnerabilities affect \u201cany Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing and it is receiving DVMRP traffic,\u201d the company said.\n\nThe cause of the flaws is the incorrect management of how IGMP packets, which help maintain the efficiency of network traffic, are queued, the company said.\n\n\u201cAn attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device,\u201d according to the advisory. \u201cA successful exploit could allow the attacker to immediately crash the IGMP process or cause memory exhaustion, resulting in other processes becoming unstable. These processes may include, but are not limited to, interior and exterior routing protocols.\u201d\n\nCisco is currently working on software updates to address the vulnerabilities, which have no workaround, the company said. However, companies using the affected routers can mitigate attacks depending on their needs and network configuration, according to Cisco.\n\nIn the case of a memory exhaustion, Cisco recommends that customers implement a rate limiter, which will require that customers understand their current rate of IGMP traffic and set a rate lower than the current average rate.\n\n\u201cThis command will not remove the exploit vector,\u201d the company acknowledged. \u201cHowever, the command will reduce the traffic rate and increase the time necessary for successful exploitation. The customer can use this time to perform recovery actions.\u201d\n\nIt is possible to recover the memory consumed by the IGMP process by restarting the IGMP process, according to Cisco, which provided details for how to do so.\n\nTo mitigate both memory exhaustion and the immediate IGMP process crash, Cisco advised that customers implement an access control entry (ACE) to an existing interface access control list (ACL). Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface, the company said.\n\nIf an attacker does successfully crash a router\u2019s IGMP process, operators do not need to manually restart the IGMP process because the system will perform that action, which will recover the consumed memory, according to Cisco.\n\nIn addition to mitigations, the company also provided details in the advisory for how network operators will know if a router has been compromised and other details for dealing with any attack on the vulnerabilities until a fix can be found.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "modified": "2020-09-02T12:28:15", "published": "2020-09-02T12:28:15", "id": "THREATPOST:A5D4FD6C2281AE395B821A8D0EB5736D", "href": "https://threatpost.com/cisco-warns-of-active-exploitation-of-flaw-in-carrier-grade-routers/158887/", "type": "threatpost", "title": "Cisco Warns of Active Exploitation of Flaw in Carrier-Grade Routers", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}
