Skip to main content

Cisco discloses DoS vulnerabilities in carrier-grade routers

(Image credit: Image source: Shutterstock/jijomathaidesigners)

Cisco IOS XR Network OS, an operating system the company deploys to its carrier-grade routers, has two high severity vulnerabilities that are currently being actively exploited in the wild.

The IOS XR is used on multiple router platforms, such as NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers. The two vulnerabilities in question - tracked under CVE-2020-3566 and CVE-2020-3569 - are DVMRP Memory Exhaustion Denial of Service (DoS) flaws and could render the devices unstable.

"On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of these vulnerabilities in the wild," Cisco said in an advisory (opens in new tab).

"For affected products, Cisco recommends implementing a mitigation that is appropriate for the customer’s environment."

"An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes.

A patch is not yet available, but Cisco has detailed a set of workarounds that could help to eliminate potential threats.

IT teams could implement rate-limiting to reduce IGMP traffic rates, which would increase the time needed to successfully exploit the two flaws.

Users could also "implement an access control entry (ACE) to an existing interface access control list (ACL)" or a new ACL to deny inbound DVRMP traffic to interfaces with multicast routing enabled.

Sead Fadilpašić
Sead Fadilpašić

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.