Cisco Warns of Active Exploitation of Flaw in Carrier-Grade Routers

Cisco Systems says hackers are actively exploiting previously unpatched vulnerabilities in its carrier-grade routers that could allow adversaries to crash or severely disrupt devices.

The vulnerabilities exist in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software and could allow an unauthenticated, remote attacker to immediately crash the Internet Group Management Protocol (IGMP) process, the company warned in an advisory over the weekend.

The flaw, tracked as CVE-2020-3566, also allows attackers to make devices consume available memory and eventually crash, something that can “negatively impact other processes that are running on the device,” the company warned.

IOS XR Software runs many of Cisco’s carrier-grade network routers, including the CRS series, 12000 series, and ASR9000 series. The vulnerabilities affect “any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing and it is receiving DVMRP traffic,” the company said.

The cause of the flaws is the incorrect management of how IGMP packets, which help maintain the efficiency of network traffic, are queued, the company said.

“An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device,” according to the advisory. “A successful exploit could allow the attacker to immediately crash the IGMP process or cause memory exhaustion, resulting in other processes becoming unstable. These processes may include, but are not limited to, interior and exterior routing protocols.”

Cisco is currently working on software updates to address the vulnerabilities, which have no workaround, the company said. However, companies using the affected routers can mitigate attacks depending on their needs and network configuration, according to Cisco.

In the case of a memory exhaustion, Cisco recommends that customers implement a rate limiter, which will require that customers understand their current rate of IGMP traffic and set a rate lower than the current average rate.

“This command will not remove the exploit vector,” the company acknowledged. “However, the command will reduce the traffic rate and increase the time necessary for successful exploitation. The customer can use this time to perform recovery actions.”

It is possible to recover the memory consumed by the IGMP process by restarting the IGMP process, according to Cisco, which provided details for how to do so.

To mitigate both memory exhaustion and the immediate IGMP process crash, Cisco advised that customers implement an access control entry (ACE) to an existing interface access control list (ACL). Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface, the company said.

If an attacker does successfully crash a router’s IGMP process, operators do not need to manually restart the IGMP process because the system will perform that action, which will recover the consumed memory, according to Cisco.

In addition to mitigations, the company also provided details in the advisory for how network operators will know if a router has been compromised and other details for dealing with any attack on the vulnerabilities until a fix can be found.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.