Cisco warns of actively exploited IOS XR zero-days
Cisco warned on Saturday about two zero-day vulnerability impacting the Internetwork Operating System (IOS) that ships with its networking equipment.
The vulnerabilities, tracked as CVE-2020-3566 and CVE-2020-3569, impact the Distance Vector Multicast Routing Protocol (DVMRP) feature that ships with the IOS XR version of the operating system. This version of the OS is usually installed on carrier-grade and data center routers.
DVMRP feature contains a bug that allows an unauthenticated, remote attacker to exhaust process memory and crash other processes running on the device.
"These vulnerabilities are due to the incorrect handling of IGMP packets. An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to immediately crash the IGMP process or cause memory exhaustion, resulting in other processes becoming unstable. These processes may include, but are not limited to, interior and exterior routing protocols."
EXPLOITATION ATTEMPTS DISCOVERED LAST WEEK
"On Aug. 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of an attempted exploitation of this vulnerability in the wild".
The patches are still a few days away. In the meantime, Cisco has provided several workarounds and mitigations for its customers in order to prevent that any exploitation fail -- if they occur.
It is unclear how attackers are using these bugs in the grand scheme of things. They may be using it to crash other processes on the router, such as security mechanisms, and gain access to the device. However, this is only a theory, and companies will need to thoroughly comb their logs after they spot any signs of CVE-2020-3566 and CVE-2020-3569 exploitation.