Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities

Advisory No: TZCERT/SA/2020/09/02

Date of First Release: 2^nd September, 2020

Source: CISCO

Software Affected: Any Cisco device with an active interface configured with multicast routing and running Cisco IOS XR software.

Overview:

Cisco has issued a security advisory on multiple vulnerabilities on any CISCO device running IOS XR Software. These vulnerabilities tracked as CVE-2020-3566 affected Distance Vector Multicast Routing Protocol (DVMRP) feature and could allow an unauthenticated, remote attacker to exhaust process memory of an affected device.

Description:

These vulnerabilities are caused by inadequate queue management for packets in the Internet Group Management Protocol (IGMP).  The attacker could take advantage of these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit may allow the remote attacker to cause memory exhaustion, that may result in instability of other processes running on the device.

Impact:

Successful exploitation of the vulnerability could allow an adversary to exhaust process memory of an affected device.

Solution:

Cisco has not yet identified any workarounds for this vulnerability; however, there are multiple mitigations available;

1. First, determine whether Multicast Routing is enabled on your router. An administrator can issue the show igmp interface If the output of the command is empty then multicast routing is not enabled, and the device is not affected by these vulnerabilities, however, if the command shows the following output then multicast routing is enabled:

          Customer-Router(config)# show igmp interface

          Loopback0 is up, line protocol is up
               Internet address is 10.144.144.144/32
               IGMP is enabled on interface
               Current IGMP version is 3
               IGMP query interval is 60 seconds
               IGMP querier timeout is 125 seconds
               IGMP max query response time is 10 seconds
               Last member query response interval is 1 seconds
               IGMP activity: 3 joins, 0 leaves
               IGMP querying router is 10.144.144.144 (this system)
          TenGigE0/4/0/0 is up, line protocol is up
               Internet address is 10.114.8.44/24
               IGMP is enabled on interface
               Current IGMP version is 3
               IGMP query interval is 60 seconds
               IGMP querier timeout is 125 seconds
               IGMP max query response time is 10 seconds
               Last member query response interval is 1 seconds
               IGMP activity: 9 joins, 4 leaves
               IGMP querying router is 10.114.8.11

2. It is recommended that Cisco customers with devices running IOS XR with Multicast Routing enabled should implement a rate limiter as the first line of defense. Customers will first need to determine their current rate of IGMP traffic and set a lower rate than the current average rate.

          In the configuration mode enter the following command;

          Customer-Router(config)# lpts pifib hardware police flow igmp rate <value>

3. As the second line of defense the customer is advised to either implement an access control entry (ACE) to the existing Access Control List (ACL) or create a new ACL that denies DVMRP inbound traffic on that specific interface.

          Command to create new ACL that denies inbound DVMRP traffic;

          Customer-Router(config)# ipv4 access-list <acl_name> deny igmp any any dvmrp

References:

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz