Cisco warns of actively exploited IOS XR zero-days

Cisco said it discovered the attacks last week during a support case the company's support team was called in to investigate.
Written by Catalin Cimpanu, Contributor
Image: Cisco // Composition: ZDNet

Cisco warned on Saturday about two zero-day vulnerability impacting the Internetwork Operating System (IOS) that ships with its networking equipment.

The vulnerabilities, tracked as CVE-2020-3566 and CVE-2020-3569, impact the Distance Vector Multicast Routing Protocol (DVMRP) feature that ships with the IOS XR version of the operating system.

This version of the OS is usually installed on carrier-grade and data center routers, according to the company's website.

Cisco says the DVMRP feature contains a bug that allows an unauthenticated, remote attacker to exhaust process memory and crash other processes running on the device. Cisco explains:

"These vulnerabilities are due to the incorrect handling of IGMP packets. An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to immediately crash the IGMP process or cause memory exhaustion, resulting in other processes becoming unstable. These processes may include, but are not limited to, interior and exterior routing protocols."

Exploitation attempts discovered last week

Cisco says that it discovered attackers exploiting this bug last week. The attacks were detected during a support case the company's support team was called in to investigate.

"On Aug. 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of an attempted exploitation of this vulnerability in the wild," Cisco said.

The company said its currently working on developing software updates for IOS XR. 

The patches are still a few days away. In the meantime, Cisco has provided several workarounds and mitigations for its customers in order to prevent that any exploitation fail -- if they occur.

The Cisco security advisory also includes additional incident response instructions for companies to investigate their logs and see if they've been attacked using the two IOS zero-days.

It is unclear how attackers are using these bugs in the grand scheme of things. They may be using it to crash other processes on the router, such as security mechanisms, and gain access to the device. However, this is only a theory, and companies will need to thoroughly comb their logs after they spot any signs of CVE-2020-3566 and CVE-2020-3569 exploitation.

Article updated on September 2 with information on the second zero (CVE-2020-3569).

Cloud computing strategies, in-demand programming skills, and cybersecurity concerns: Research round-up

Editorial standards