Cisco has warned of an active zero-day vulnerability in its router software that’s being exploited in the wild and could allow a remote, authenticated attacker to carry out memory exhaustion attacks on an affected device.

“An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device,” Cisco said in an advisory posted over the weekend.

“A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.”

Although the company said it will release software fixes to address the flaw, it did not share a timeline for when it plans to make it available. The networking equipment maker said it became aware of attempts to exploit the flaw on August 28.

Tracked as CVE-2020-3566, the severity of the vulnerability has been rated “high” with a Common Vulnerability Scoring System score of 8.6 out of a maximum 10.

The bug affects all Cisco gear running its Internetwork Operating System (IOS) XR Software and stems from an issue in the Distance Vector Multicast Routing Protocol (DVMRP) feature that makes it possible for an adversary to send specially crafted Internet Group Management Protocol (IGMP) packets to the susceptible device in question and exhaust process memory.

IGMP is typically used to efficiently use resources for multicasting applications when supporting streaming content such as online video streaming and gaming. The flaw lies in the manner IOS XR Software queues these packets, potentially causing memory exhaustion and disruption of other processes.

While there are no workarounds to resolve the issue, Cisco recommends administrators to run the “show igmp interface” command to determine if multicast routing is enabled.

If the output of ‘show igmp interface’ is empty, multicast routing is not enabled and the device is not affected by these vulnerabilities,” the company said.

Additionally, admins can also check the system logs for signs of memory exhaustion and implement rate-limiting to reduce IGMP traffic rates to mitigate the risk.

Cisco didn’t elaborate on how the attackers were exploiting this vulnerability and with what goal in mind.

But given that resource exhaustion attacks are also a form of denial-of-service attacks, it wouldn’t be surprising if bad actors are leveraging the flaw to interfere with the regular functioning of the system.

Leave a Comment