==================================================================== CERT-Renater Note d'Information No. 2020/VULN477 _____________________________________________________________________ DATE : 31/08/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Cisco IOS XR Software. ===================================================================== https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz _____________________________________________________________________ Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability High Advisory ID: cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz First Published: 2020 August 29 03:00 GMT Version 1.0: Interim Workarounds: No workarounds available Cisco Bug IDs: CSCvv54838 CVSS Score: Base 8.6 CVE-2020-3566 CWE-400 Summary A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols. Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability. There are multiple mitigations available to customers depending on their needs. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz Affected Products Vulnerable Products This vulnerability affects any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing. Determine Whether Multicast Routing Is Enabled An administrator can determine whether multicast routing is enabled on a device by issuing the show igmp interface command. The following output shows a device with multicast routing enabled: RP/0/0/CPU0:router# show igmp interface Loopback0 is up, line protocol is up Internet address is 10.144.144.144/32 IGMP is enabled on interface Current IGMP version is 3 IGMP query interval is 60 seconds IGMP querier timeout is 125 seconds IGMP max query response time is 10 seconds Last member query response interval is 1 seconds IGMP activity: 3 joins, 0 leaves IGMP querying router is 10.144.144.144 (this system) TenGigE0/4/0/0 is up, line protocol is up Internet address is 10.114.8.44/24 IGMP is enabled on interface Current IGMP version is 3 IGMP query interval is 60 seconds IGMP querier timeout is 125 seconds IGMP max query response time is 10 seconds Last member query response interval is 1 seconds IGMP activity: 9 joins, 4 leaves IGMP querying router is 10.114.8.11 If the output of show igmp interface is empty, multicast routing is not enabled and the device is not affected by this vulnerability. Determine Whether the Device Is Receiving DVMRP Traffic An administrator can determine whether the device is receiving DVMRP traffic by issuing the show igmp traffic command. The following output shows a device that is receiving DVMRP traffic: RP/0/0/CPU0:router#show igmp traffic Fri Feb 13 12:00:00.000 UTC IGMP Traffic Counters Elapsed time since counters cleared: 01:09:27 Received Sent Valid IGMP Packets 380220 301 Queries 0 143 Reports 0 158 Leaves 0 0 Mtrace packets 0 0 DVMRP packets 380220 0 If the DVMRP packets entry contains values of zero in both columns, and the counters remain zero on subsequent execution of the command, the device is not receiving DVMRP traffic. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Details This vulnerability results in memory exhaustion, which can impact other processes on the device. It is possible to recover the memory consumed by the IGMP process by restarting the IGMP process with the process restart igmp command as follows: RP/0/0/CPU0:router# process restart igmp Indicators of Compromise When a device is experiencing memory exhaustion based on exploitation of this vulnerability, the following messages may be seen in the system logs: RP/0/RSP1/CPU0:Aug 28 03:46:10.375 UTC: raw_ip[399]: %PKT_INFRA-PQMON-6-QUEUE_DROP : Taildrop on XIPC queue 1 owned by igmp (jid=1175) RP/0/RSP0/CPU0:Aug 28 03:46:10.380 UTC: raw_ip[399]: %PKT_INFRA-PQMON-6-QUEUE_DROP : Taildrop on XIPC queue 1 owned by igmp (jid=1175) RP/0/RSP0/CPU0:Aug 28 03:49:22.850 UTC: dumper[61]: %OS-DUMPER-7-DUMP_REQUEST : Dump request for process pkg/bin/igmp RP/0/RSP0/CPU0:Aug 28 03:49:22.851 UTC: dumper[61]: %OS-DUMPER-7-DUMP_ATTRIBUTE : Dump request with attribute 7 for process pkg/bin/igmp RP/0/RSP0/CPU0:Aug 28 03:49:22.851 UTC: dumper[61]: %OS-DUMPER-4-SIGSEGV : Thread 9 received SIGSEGV - Segmentation Fault Workarounds Although there are no workarounds for this vulnerability, there are multiple mitigations available to customers depending on their needs. As a first line of defense, it is recommended that customers implement a rate limiter. This will require that customers understand their current rate of IGMP traffic and set a rate lower than the current average rate. In configuration mode, the customer can enter the lpts pifib hardware police flow igmp rate command as follows: RP/0/0/CPU0:router(config)# lpts pifib hardware police flow igmp rate This command will not remove the exploit vector. However, the command will reduce the traffic rate and increase the time necessary for successful exploitation. The customer can use this time to perform recovery actions. As a second line of defense, a customer may implement an access control entry (ACE) to an existing interface access control list (ACL). Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface. The following example creates an ACL and denies DVMRP traffic: RP/0/0/CPU0:router(config)# ipv4 access-list deny igmp any any dvmrp It is recommended to disable IGMP routing for an interface where IGMP processing is not needed. In IGMP router configuration mode, the customer can enter the router disable command as follows: RP/0/0/CPU0:router(config)# router igmp RP/0/0/CPU0:router(config-igmp)# interface RP/0/0/CPU0:router(config-igmp-name-if)# router disable Fixed Software Cisco will release free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco will release software updates that address this vulnerability. As fixed releases and SMUs become available, this advisory will be updated. Exploitation and Public Announcements On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild. For affected products, Cisco recommends implementing a mitigation that is appropriate for the customer’s environment. Source This vulnerability was found during the resolution of a Cisco TAC support case. URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz Revision History Version Description Section Status Date 1.0 Initial public release. — Interim 2020-AUG-29 Show Less Legal Disclaimer THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================