Cisco Alert: Hackers Targeting Zero-Day Flaws in IOS XR

Cisco has warned of active zero-day vulnerabilities in its router software that's being exploited in the wild. It could allow a remote, authenticated attacker to carry out memory exhaustion attacks on an affected device.

The flaws present in IOS XR, which is a version of its Internetworking Operating System used in multiple Cisco Network Converging System carrier-grade routers, including the CRS, 12000 and ASR9000 series. 

Hackers are actively attempting to exploit these two flaws in a Cisco operating system that runs its carrier-grade routers. The vulnerabilities, tracked as CVE-2020-3566 and CVE-2020-3569. The severity of the vulnerability has been rated "high" with a score of 8.6 out of a maximum 10.

The vulnerabilities are present in every Cisco device that runs any release of the IOS XR software if the software has been configured to use multicast routing. Multicast routing helps save bandwidth by sending some types of data such as video in one stream to multiple recipients. The flaw lies in the manner IOS XR Software queues these packets, potentially causing memory exhaustion and disruption of other processes.

An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device.

A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.

Cisco didn't elaborate on how the attackers were exploiting this vulnerability and with what goal in mind but given that resource exhaustion attacks is also a form of denial-of-service attacks.

Although the patches are not available yet but Cisco has described steps so that administrators can take to reduce the risk of the flaws being exploited.


In-the-Wild Attacks

These flaws give attackers relatively "niche market" capabilities, at least when compared to existing distributed denial-of-service attack options, including DDoS conditions created using UDP amplification or TCP reflection.


It is recommended to consider the following best practices:

  • Admins are recommended to check the system logs for signs of memory exhaustion and implement rate-limiting to reduce IGMP traffic rates to mitigate the risk.
  • Cisco recommends administrators to run the "show igmp interface" command to determine if multicast routing is enabled. If the output is empty, not enabled and the device is not affected by these vulnerabilities.
  • Customers may implement an access control entry (ACE) to an existing interface access control list (ACL), to help block attackers. Alternatively, he can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface.
  • Secure Your Network Infrastructure and maintain strong Network Architecture.