Attacker Value
Low
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2020-3566 - Denial of service vulnerability in Cisco IOS XR

Disclosure Date: August 29, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols. Cisco will release software updates that address this vulnerability.

Add Assessment

2
Ratings
Technical Analysis

At face value, this doesn’t seem to be a terribly high-value vuln from an attacker point of view. That’s not to say that impact to availability and disruption of business processes isn’t high-impact for infrastructure and service providers, just that the vulnerability is a denial of service that currently doesn’t look to offer attackers useful access. That changes pretty quickly if it turns out DoS exploitation gives rise to a different threat vector.

General Information

Vendors

  • Cisco

Products

  • Cisco IOS XR Software

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis

Description

Update September 1, 2020: Cisco added a second actively exploited zero-day vulnerability to their initial advisory for CVE-2020-3566. The second zero-day, CVE-2020-3569, is another memory exhaustion vulnerability affecting the DVMRP feature of Cisco IOS XR software. There is no new information on when patches will be available.

On Saturday, August 29, 2020, Cisco published a security advisory on CVE-2020-3566, a zero-day vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR software. According to Cisco’s advisory, the vulnerability results from “insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device.” Successful exploitation of CVE-2020-3566 could allow an unauthenticated, remote attacker to exhaust the available process memory of an affected device. This may lead other processes running on the device, including interior and exterior routing protocols, to become unstable or crash.

Cisco has detected exploitation attempts of CVE-2020-3566 as of August 28, 2020. There is currently no patch available; the advisory notes that Cisco is currently working on a fix. A list of indicators of compromise (IoCs) is available in the advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz

Affected products

  • Any Cisco device running any version of IOS XR software if an active interface is configured under multicast routing.

Rapid7 analysis

As of August 31, 2020, CVE-2020-3566 is a denial-of-service (DoS) vulnerability, though admittedly a high-severity DoS, and does not appear on its face to enable any impact to confidentiality or integrity. Without the ability to execute code, escalate privileges, or perform other operations that yield sensitive data or privileged access, it’s difficult to determine what the value of this vulnerability is to attackers beyond pure disruption (which alone may be considered high-value during this time of increased remote users). With that said, IOS XR software runs on carrier-grade routers often used by ISPs, data centers, and enterprise infrastructure for whom availability is critical (even beyond modern expectations of multiple-9s uptime).

As a general note, DoS vulnerabilities may be useful to sophisticated attackers seeking to create noise in order to mask other operations. We expect increased focus on CVE-2020-3566 from the research community as they attempt to determine whether the DoS can be leveraged to obtain higher-privileged access (e.g., whether DoS vulnerability exploitation means other critical or security-related processes that will terminate or fail open).

Guidance

While Cisco customers wait for a patch to be released, the company has several mitigations available in their advisory, including disabling IGMP routing, implementing or updating interface access control entries, and/or using rate limiting to increase the time needed for exploitation. Cisco has also published directions for determining whether customers have multicast routing enabled. IOS XR customers should determine which combination of the published mitigations is suitable for their organizations’ use cases and apply as soon as is practical. IOS XR users should also consider examining their system logs for the indicators of compromise Cisco released in the advisory.