Cisco issues alert for zero-day DVMRP vulnerability being actively exploited by attackers

The bug in carrier-grade routers could allow a remote hacker to exhaust target device's process memory by sending crafted IGMP traffic

Cisco has issued an alert to warn users of a zero-day security vulnerability that impacts its carrier-grade routers and is being exploited in the wild by attackers.

According to Cisco, this high-severity bug exists in the Distance Vector Multicast Routing Protocol (DVMRP) feature of the IOS XR Network OS and arises due to insufficient queue management for Internet Group Management Protocol (IGMP) packets.

Indexed as CVE-2020-3566, the bug could allow a remote, unauthenticated attacker to exhaust target device's process memory by sending crafted IGMP traffic to it, the company noted. Memory exhaustion can also result in the crashing of other processes, such as interior and exterior routing protocols, running on the device.

Cisco's IOS XR software is used in many networking equipment, including NCS 5500, 8000, NCS 540 and 560, and ASR 9000 series routers.

The bug impacts all Cisco devices running any Cisco IOS XR Software release if one of their active interfaces is configured under multicast routing.

Admins can easily determine whether multicast routing is enabled on a device by issuing the 'show igmp interface' command.

According to Cisco, the bug was spotted last week during resolution of a support case by its security team. An exploitation attempt for the flaw was then noticed on 28^th August.

There are currently no patches or workarounds available to address the vulnerability. However, Cisco's advisory offers many mitigation measures for the bug.

The company recommends users implement a rate limit for IGMP traffic and set a rate lower than the current average. While this command does not eliminate the exploit vector, it can reduce the traffic rate, thereby increasing the time attackers will need to successfully exploit the bug.

Admins must also consider disabling IGMP routing for an interface where IGMP processing is not needed.

Cisco said it is currently working to develop software updates for affected software.

Last month, Cisco had released security patches to address multiple critical security bugs impacting its Data Center Network Manager (DCNM) and SD-WAN software products. The most notable of the flaws were three critical authentication bypass, authorisation bypass and buffer overflow bugs, which could allow a remote, unauthenticated attacker to steal sensitive information from affected devices.

Also, last month, Cisco released security updates to fix 31 vulnerabilities affecting its router and firewall products.

The company warned at the time that some of the bugs could be remotely exploited by unauthenticated attackers without requiring any user interaction.