Low
CVE-2020-3566 - Denial of service vulnerability in Cisco IOS XR
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-3566 - Denial of service vulnerability in Cisco IOS XR
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols. Cisco will release software updates that address this vulnerability.
Add Assessment
Ratings
-
Attacker ValueLow
Technical Analysis
At face value, this doesn’t seem to be a terribly high-value vuln from an attacker point of view. That’s not to say that impact to availability and disruption of business processes isn’t high-impact for infrastructure and service providers, just that the vulnerability is a denial of service that currently doesn’t look to offer attackers useful access. That changes pretty quickly if it turns out DoS exploitation gives rise to a different threat vector.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- cisco
Products
- ios xr 6.4.2
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Description
Update September 1, 2020: Cisco added a second actively exploited zero-day vulnerability to their initial advisory for CVE-2020-3566. The second zero-day, CVE-2020-3569, is another memory exhaustion vulnerability affecting the DVMRP feature of Cisco IOS XR software. There is no new information on when patches will be available.
On Saturday, August 29, 2020, Cisco published a security advisory on CVE-2020-3566, a zero-day vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR software. According to Cisco’s advisory, the vulnerability results from “insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device.” Successful exploitation of CVE-2020-3566 could allow an unauthenticated, remote attacker to exhaust the available process memory of an affected device. This may lead other processes running on the device, including interior and exterior routing protocols, to become unstable or crash.
Cisco has detected exploitation attempts of CVE-2020-3566 as of August 28, 2020. There is currently no patch available; the advisory notes that Cisco is currently working on a fix. A list of indicators of compromise (IoCs) is available in the advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz
Affected products
- Any Cisco device running any version of IOS XR software if an active interface is configured under multicast routing.
Rapid7 analysis
As of August 31, 2020, CVE-2020-3566 is a denial-of-service (DoS) vulnerability, though admittedly a high-severity DoS, and does not appear on its face to enable any impact to confidentiality or integrity. Without the ability to execute code, escalate privileges, or perform other operations that yield sensitive data or privileged access, it’s difficult to determine what the value of this vulnerability is to attackers beyond pure disruption (which alone may be considered high-value during this time of increased remote users). With that said, IOS XR software runs on carrier-grade routers often used by ISPs, data centers, and enterprise infrastructure for whom availability is critical (even beyond modern expectations of multiple-9s uptime).
As a general note, DoS vulnerabilities may be useful to sophisticated attackers seeking to create noise in order to mask other operations. We expect increased focus on CVE-2020-3566 from the research community as they attempt to determine whether the DoS can be leveraged to obtain higher-privileged access (e.g., whether DoS vulnerability exploitation means other critical or security-related processes that will terminate or fail open).
Guidance
While Cisco customers wait for a patch to be released, the company has several mitigations available in their advisory, including disabling IGMP routing, implementing or updating interface access control entries, and/or using rate limiting to increase the time needed for exploitation. Cisco has also published directions for determining whether customers have multicast routing enabled. IOS XR customers should determine which combination of the published mitigations is suitable for their organizations’ use cases and apply as soon as is practical. IOS XR users should also consider examining their system logs for the indicators of compromise Cisco released in the advisory.
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: