Cisco today warned of attacks actively targeting the CVE-2020-3118 high severity vulnerability found to affect multiple carrier-grade routers that run the company’s Cisco IOS XR Software.
The IOS XR Network OS is deployed on several Cisco router platforms including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.
The vulnerability impacts third-party white box routers and the following Cisco products if they run vulnerable Cisco IOS XR Software versions, and have the Cisco Discovery Protocol enabled both on at least one interface and globally:
- ASR 9000 Series Aggregation Services Routers
- Carrier Routing System (CRS)
- IOS XRv 9000 Router
- Network Convergence System (NCS) 540 Series Routers
- Network Convergence System (NCS) 560 Series Routers
- Network Convergence System (NCS) 1000 Series Routers
- Network Convergence System (NCS) 5000 Series Routers
- Network Convergence System (NCS) 5500 Series Routers
- Network Convergence System (NCS) 6000 Series Routers
Attacks started in October
“In October 2020, the Cisco Product Security Incident Response Team (PSIRT) received reports of attempted exploitation of this vulnerability in the wild,” the updated advisory reads.
“Cisco recommends that customers upgrade to a fixed Cisco IOS XR Software release to remediate this vulnerability.”
Today, the U.S. National Security Agency (NSA) also included CVE-2020-3118 among 25 security vulnerabilities currently targeted or exploited by Chinese state-sponsored threat actors.
Attackers could exploit the vulnerability by sending a malicious Cisco Discovery Protocol packet to devices running a vulnerable IOS XR version.
Successful exploitation could enable the attackers to trigger a stack overflow that could lead to arbitrary code execution with administrative privileges on the targeted device.
Luckily, even though this Cisco Discovery Protocol Format String Vulnerability could lead to remote code execution, it can only be exploited by unauthenticated adjacent attackers (Layer 2 adjacent) in the same broadcast domain as the vulnerable devices.
Security updates available
Cisco fixed the CVE-2020-3118 security flaw in February 2020, together with four other severe vulnerabilities discovered by IoT security company Armis and collectively dubbed CDPwn.
The current status of releases that come with a fix for this vulnerability is shown in the table embedded below (more information on available software maintenance upgrades can be found here).
Mitigation details including disabling Cisco Discovery Protocol Globally and on an Interface are also available in the advisory for customers who can’t immediately apply the security updates.
|Cisco IOS XR Software Release||First Fixed Release for This Vulnerability|
|Earlier than 6.6||Appropriate SMU|
|6.61||6.6.3 or appropriate SMU|
|7.0||7.0.2 (Mar 2020) or appropriate SMU|
“The findings of this research are significant as Layer 2 protocols are the underpinning for all networks, and as an attack surface are an under-researched area and yet are the foundation for the practice of network segmentation,” VP of Research at Armis Ben Seri said when the CDPwn vulnerabilities were disclosed.
“Network segmentation is often utilized as a means to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by an attacker, so network segmentation is no longer a guaranteed security strategy.”