Multiple defects in system software that causes errors in packet handling could let an attacker consume memory & crash devices.
Cisco Systems says hackers are actively exploiting previously unpatched vulnerabilities in its carrier-grade routers, that could let adversaries crash or severely disrupt devices.
The vulnerabilities are in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software & could allow an unauthenticated, remote attacker to immediately crash the Internet Group Management Protocol (IGMP) process, the company warned in an advisory last weekend.
The flaw, designated CVE-2020-3566, also lets attackers make devices consume available memory & eventually crash, a thing that can “negatively impact other processes that are running on the device,” the company cautioned.
IOS XR Software uses many of Cisco’s carrier-grade network routers, including the CRS series, 12000 series, & ASR9000 series. The vulnerabilities will affect “any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing, & it is receiving DVMRP traffic,” the company commented
The cause of the flaws is the incorrect management of how IGMP packets, which help maintain the efficiency of network traffic, are queued, the company observed.
“An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device,” according to the advisory. “A successful exploit could allow the attacker to immediately crash the IGMP process or cause memory exhaustion, resulting in other processes becoming unstable. These processes may include, but are not limited to, interior & exterior routing protocols.”
Cisco is currently working on software updates to deal with these vulnerabilities, which have no workaround, the company outlined. However, companies using the affected routers can mitigate attacks, depending on their needs & network configuration, says Cisco.
When dealing with memory exhaustion, Cisco recommends that customers implement a ‘rate limiter’, which will require that customers understand their current rate of IGMP traffic, & set a rate lower than the current average rate.
“This command will not remove the exploit vector,” the company accepted. “However, the command will reduce the traffic rate & increase the time necessary for successful exploitation. The customer can use this time to perform recovery actions.”
Memory consumed by the IGMP process can be recovered by restarting the IGMP process, explained Cisco, which then provided details for how to do this.
In order to mitigate both memory exhaustion & the immediate IGMP process crash, Cisco advised that customers implement an access control entry (ACE) to an existing interface access control list (ACL). Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface, the company suggested.
If an attacker does successfully crash a router’s IGMP process, operators do not need to manually restart the IGMP process, because the system will perform that action, which will recover the consumed memory, observed Cisco.
Further to mitigations, the company also explained in the advisory how network operators will know if a router has been compromised, & other details for dealing with any attack on the vulnerabilities, until such time that a fix can be provided.