CVE-2020-3566
Published: 29 August 2020
Summary
CVE-2020-3566 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Cisco Ios Xr. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 15.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Deeper analysis
A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software allows an unauthenticated remote attacker to exhaust process memory on an affected device. The issue stems from insufficient queue management for Internet Group Management Protocol (IGMP) packets and is tracked under CWE-400 and CWE-770. Successful exploitation can destabilize other processes, including interior and exterior routing protocols. The flaw carries a CVSS 3.1 score of 8.6 with network attack vector, no required privileges or user interaction, and changed scope affecting availability.
An attacker can trigger the condition simply by sending crafted IGMP traffic to a reachable device running the vulnerable software. No authentication or local access is needed, enabling remote exploitation over the network that leads to memory exhaustion and potential denial of service against routing functions.
Cisco has published software updates to address the vulnerability in the associated security advisory. The flaw also appears in CISA's catalog of known exploited vulnerabilities, indicating confirmed in-the-wild activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-24837
Vulnerability details
A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet…
more
Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols. Cisco will release software updates that address this vulnerability.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires mechanisms to protect against or limit effects of denial-of-service attacks that exhaust resources via crafted network traffic such as IGMP.
Enforces boundary filtering and traffic control to block or rate-limit unauthenticated IGMP packets before they reach the DVMRP process.
Requires timely application of vendor patches that remediate the insufficient IGMP queue management flaw in IOS XR.