Maksim Kabakou - Fotolia

Cisco issues alert for zero-day vulnerability under attack

Cisco discovered attempted exploitation of a high-severity vulnerability found in the IOS XR software used in some of its networking equipment.

Cisco published a security advisory for a zero-day vulnerability that has already seen attempted attacks in the wild.

The high-severity vulnerability was found in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco's IOS XR Software. The vulnerability is caused by insufficient queue management for Internet Group Management Protocol (IGMP) packets. If successfully exploited, a remote attacker could send crafted IGMP traffic to an affected device and exhaust the process memory, resulting in instability of other processes such as interior and exterior routing protocols.

The zero-day vulnerability, CVE-2020-3566, was found during the resolution of a Cisco TAC support case, according to the advisory. Cisco's Product Security Incident Response Team (PSIRT) discovered attempted exploitation of the vulnerability in the wild on Aug. 28 and published an advisory later that night.

"This high-severity vulnerability affects Cisco IOS XR if the product is configured for multicast routing," a Cisco spokesperson said in an email to SearchSecurity.

There are currently no workarounds and patches available for the vulnerability.

"Software fixes will be available as soon as possible, and Cisco's security advisory outlines mitigation options for immediate consideration. We ask our customers to please review the advisory for complete detail," the Cisco spokesperson said.

The advisory did offer several mitigations, such as implementing a rate limit which will require that customers understand their current rate of IGMP traffic and set a rate lower than the current average. Cisco also recommends disabling IGMP routing for an interface where IGMP processing is not needed.

Rody Quinlan, security response manager at vulnerability management vendor Tenable, said the impact of this vulnerability grows with attack surface.

"As with any denial-of-service vulnerability, the core flaw is the ability to starve the device of resources, in this instance, memory," Quinlan said in an email to Search Security.

"Successful exploitation could lead to instability on the targeted device and, as a result, impact the routing protocols for both internal and external networks, which could result in the slowing or crippling of a network," he said. "Considering that Cisco has observed attempts to exploit this vulnerability in the wild, no patch is currently available, and the flaw can be executed remotely without authentication, the severity is rather high."

Quinlan said Tenable hasn't yet witnessed any publicly available proof-of-concept exploits.

"Given the active exploitation attempts noted by Cisco and ease of exploitation, we anticipate PoCs will be released soon," Quinlan said. "Distributed denial of service (DDoS) attacks are usually easy to exploit, have remained popular with attackers and continue to be a very prevalent form of attack. DDoS vulnerabilities are common to numerous vendors, but what makes CVE-2020-3566 unique is that it's a zero-day with in-the-wild exploitation attempts."

Next Steps

Cisco patches zero-day vulnerability under attack

Dig Deeper on Network security