Cybersecurity Threat Advisory: Vector Multicast Routing Protocol
Posted on September 11, 2020 by Mike Beagles
As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their mission-critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week, there is a new critical alert that requires the mission-critical community’s immediate attention.
A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. A DVMRP is a routing protocol used to share information between routers to facilitate the transportation of IP-multicast packets among networks. A successful exploit by an attacker could cause memory exhaustion, resulting in the instability of other processes. MCP recommends following the mitigation steps provided by Cisco and updating Cisco software regularly to address vulnerabilities as fixes are released and become available.
Technical Detail and Additional Information
What Is the Threat?
The security flaw that resides in Cisco’s IOS XR Software is considered a high-severity zero-day vulnerability, which means that there is a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the flaw. Attackers have been actively trying to exploit this vulnerability in Cisco networking devices. Cisco’s IOS XR Software is an operating system for carrier-grade routers and other networking devices used by telecommunications and data center providers. As of this writing, Cisco has not provided a timeline for when a patch for the vulnerability will be released.
Why Is this Noteworthy?
The vulnerability is being tracked as CVE-2020-3566 and is described as a vulnerability that, if exploited, could cause memory exhaustion and the instability of other processes including but not limited to interior and exterior routing protocols. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. To exploit this vulnerability, an attacker could send crafted IGMP traffic to an affected device.
Cisco has not elaborated whether attacks on this vulnerability could cause other issues aside from memory exhaustion and the subsequent disruption of various processes. The company has rated the severity of the vulnerability as “high” with a Common Vulnerability Scoring System (CVSS) rating of 8.6 out of 10. These vulnerabilities affect any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing and it is receiving DVMRP traffic.
What Are the Recommendations?
- MCP recommends familiarizing yourself with the summary and details at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz.
- Run the suggested administrator commands to determine whether multicast routing is enabled on a given device.
- Determine whether the device is receiving DVMRP traffic.
- Check for Indicators of Compromise and mitigate/remediate as instructed within the Cisco Security Advisory.