IBM has released security updates to address vulnerabilities to its multiple products. Exploitation of these vulnerabilities may allow an attacker to cause a denial of service condition.

Users and administrators are encouraged to review IBM Security Bulletin and apply necessary updates.

Citrix has released security updates to address vulnerabilities in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review Citrix Security Advisory and apply necessary updates.

SUSE has released security updates to address vulnerabilities in Squid for SUSE. Exploitation of these vulnerabilities may allow an attacker to cause a denial of service condition.

Users and administrators are encouraged to review SUSE Advisories   SUSE-SU-2020:2442-1 and SUSE-SU-2020:2443-1 and apply necessary updates.

Red Hat has released security updates to address vulnerabilities in dovecot for Red Hat Enterprise Linux 7. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review Red Hat Security Advisory and apply necessary updates.

Advisory No: TZCERT/SA/2020/09/02

Date of First Release: 2^nd September, 2020

Source: CISCO

Software Affected: Any Cisco device with an active interface configured with multicast routing and running Cisco IOS XR software.

Overview:

Cisco has issued a security advisory on multiple vulnerabilities on any CISCO device running IOS XR Software. These vulnerabilities tracked as CVE-2020-3566 affected Distance Vector Multicast Routing Protocol (DVMRP) feature and could allow an unauthenticated, remote attacker to exhaust process memory of an affected device.

Description:

These vulnerabilities are caused by inadequate queue management for packets in the Internet Group Management Protocol (IGMP).  The attacker could take advantage of these vulnerabilities by sending crafted IGMP traffic to an affected device. A successful exploit may allow the remote attacker to cause memory exhaustion, that may result in instability of other processes running on the device.

Impact:

Successful exploitation of the vulnerability could allow an adversary to exhaust process memory of an affected device.

Solution:

Cisco has not yet identified any workarounds for this vulnerability; however, there are multiple mitigations available;

1. First, determine whether Multicast Routing is enabled on your router. An administrator can issue the show igmp interface If the output of the command is empty then multicast routing is not enabled, and the device is not affected by these vulnerabilities, however, if the command shows the following output then multicast routing is enabled:

          Customer-Router(config)# show igmp interface

          Loopback0 is up, line protocol is up
               Internet address is 10.144.144.144/32
               IGMP is enabled on interface
               Current IGMP version is 3
               IGMP query interval is 60 seconds
               IGMP querier timeout is 125 seconds
               IGMP max query response time is 10 seconds
               Last member query response interval is 1 seconds
               IGMP activity: 3 joins, 0 leaves
               IGMP querying router is 10.144.144.144 (this system)
          TenGigE0/4/0/0 is up, line protocol is up
               Internet address is 10.114.8.44/24
               IGMP is enabled on interface
               Current IGMP version is 3
               IGMP query interval is 60 seconds
               IGMP querier timeout is 125 seconds
               IGMP max query response time is 10 seconds
               Last member query response interval is 1 seconds
               IGMP activity: 9 joins, 4 leaves
               IGMP querying router is 10.114.8.11

2. It is recommended that Cisco customers with devices running IOS XR with Multicast Routing enabled should implement a rate limiter as the first line of defense. Customers will first need to determine their current rate of IGMP traffic and set a lower rate than the current average rate.

          In the configuration mode enter the following command;

          Customer-Router(config)# lpts pifib hardware police flow igmp rate <value>

3. As the second line of defense the customer is advised to either implement an access control entry (ACE) to the existing Access Control List (ACL) or create a new ACL that denies DVMRP inbound traffic on that specific interface.

          Command to create new ACL that denies inbound DVMRP traffic;

          Customer-Router(config)# ipv4 access-list <acl_name> deny igmp any any dvmrp

References:

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz