Home / Networking / Cisco warns of actively exploited IOS XR zero-days

Cisco warns of actively exploited IOS XR zero-days


Image: Cisco // Composition: ZDNet

Cisco warned on Saturday about two zero-day vulnerability impacting the Internetwork Operating System (IOS) that ships with its networking equipment.

The vulnerabilities, tracked as CVE-2020-3566 and CVE-2020-3569, impact the Distance Vector Multicast Routing Protocol (DVMRP) feature that ships with the IOS XR version of the operating system.

This version of the OS is usually installed on carrier-grade and data center routers, according to the company’s website.

Cisco says the DVMRP feature contains a bug that allows an unauthenticated, remote attacker to exhaust process memory and crash other processes running on the device. Cisco explains:

“These vulnerabilities are due to the incorrect handling of IGMP packets. An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to immediately crash the IGMP process or cause memory exhaustion, resulting in other processes becoming unstable. These processes may include, but are not limited to, interior and exterior routing protocols.”

Exploitation attempts discovered last week

Cisco says that it discovered attackers exploiting this bug last week. The attacks were detected during a support case the company’s support team was called in to investigate.

“On Aug. 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of an attempted exploitation of this vulnerability in the wild,” Cisco said.

The company said its currently working on developing software updates for IOS XR. 

The patches are still a few days away. In the meantime, Cisco has provided several workarounds and mitigations for its customers in order to prevent that any exploitation fail — if they occur.

The Cisco security advisory also includes additional incident response instructions for companies to investigate their logs and see if they’ve been attacked using the two IOS zero-days.

It is unclear how attackers are using these bugs in the grand scheme of things. They may be using it to crash other processes on the router, such as security mechanisms, and gain access to the device. However, this is only a theory, and companies will need to thoroughly comb their logs after they spot any signs of CVE-2020-3566 and CVE-2020-3569 exploitation.

Article updated on September 2 with information on the second zero (CVE-2020-3569).

Source link


About admin

I'm a 50 year old PLC programmer from Burnley, UK. I severed my time as an electrician in the baking industry and soon got involved with the up and coming technology of PLC's. Initially this was all based in the Uk but as the years went by I have gradually worked my way around the globe. At first it was mainly Mitsubishi with a bit of Modicon thrown in but these days the industry leaders seem to be the Allen Bradley range of PLC and HMI’s.

Check Also

Ericsson picks up Cradlepoint for enterprise value of $1.1 billion

Advertisements Advertisements Image: Supplied Ericsson announced on Friday that it has acquired Cradlepoint in a ...

Leave a Reply

Your email address will not be published. Required fields are marked *