A new week begins and a new security report on Cisco products appears. The technology company has issued an alert related to a zero-day vulnerability recently detected on its carrier-level routers, according to logical security specialists, the flaw would have already been actively exploited.

The report mentions that this is a high severity failure that resides in the Distance Vector Multicast Routing Protocol (DVMRP) function of the IOS XR network operating system and exists due to incorrect queuing admission for Internet Group Management Protocol (IGMP) packets.

The compromised software is used on a wide range of Cisco networking devices, including NCS 5500, 8000, NCS 540 and 560 and ASR 9000 series routers.

Tracked as CVE-2020-3566, successful exploiting of this failure would allow unauthenticated remote threat actors to exhaust process memory on the target device by simply sending specially crafted IGMP traffic. This resulted in the collapse of other processes in the system, such as internal and outside routing protocols, that run on affected routers, as logical security experts mentioned.

Apparently the failure affects any Cisco device with any version of the IOS XR operating system, as long as one of its active interfaces is configured in multicast routing.

Cisco mentions that affected device administrators can determine whether multicast routing is enabled by verifying with the “show igmp interface” command; the company mentions that the fault was corrected a week ago as part of a general maintenance process; however, logical security experts detected an attempted active exploitation on August 28. 

So far there is no alternative solution to correct the flaw, although the Cisco security alert includes some measures to mitigate the risk of exploitation. For example, Cisco experts recommend that administrators implement a speed limit for IGMP traffic, in addition to setting a lower-than-average speed on the target system, increasing the time a malicious hacker would require to successfully complete the exploit. Finally, affected users might also disable IGMP routing for some interfaces where this type of processing is not required.