Cisco warns of attacks targeting high severity router vulnerability

Posted by & filed under Ειδοποιήσεις.

Cisco today warned of attacks actively targeting the CVE-2020-3118 high severity vulnerability found to affect multiple carrier-grade routers that run the company’s Cisco IOS XR Software.

The IOS XR Network OS is deployed on several Cisco router platforms including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.

The vulnerability impacts third-party white box routers and the following Cisco products if they run vulnerable Cisco IOS XR Software versions, and have the Cisco Discovery Protocol enabled both on at least one interface and globally:

  • ASR 9000 Series Aggregation Services Routers
  • Carrier Routing System (CRS)
  • IOS XRv 9000 Router
  • Network Convergence System (NCS) 540 Series Routers
  • Network Convergence System (NCS) 560 Series Routers
  • Network Convergence System (NCS) 1000 Series Routers
  • Network Convergence System (NCS) 5000 Series Routers
  • Network Convergence System (NCS) 5500 Series Routers
  • Network Convergence System (NCS) 6000 Series Routers

Attacks started in October

“In October 2020, the Cisco Product Security Incident Response Team (PSIRT) received reports of attempted exploitation of this vulnerability in the wild,” the updated advisory reads.

“Cisco recommends that customers upgrade to a fixed Cisco IOS XR Software release to remediate this vulnerability.”

Today, the U.S. National Security Agency (NSA) also included CVE-2020-3118 among 25 security vulnerabilities currently targeted or exploited by Chinese state-sponsored threat actors.

Attackers could exploit the vulnerability by sending a malicious Cisco Discovery Protocol packet to devices running a vulnerable IOS XR version.

Successful exploitation could enable the attackers to trigger a stack overflow that could lead to arbitrary code execution with administrative privileges on the targeted device.

Luckily, even though this Cisco Discovery Protocol Format String Vulnerability could lead to remote code execution, it can only be exploited by unauthenticated adjacent attackers (Layer 2 adjacent) in the same broadcast domain as the vulnerable devices.

Security updates available

Cisco fixed the CVE-2020-3118 security flaw in February 2020, together with four other severe vulnerabilities discovered by IoT security company Armis and collectively dubbed CDPwn.

The current status of releases that come with a fix for this vulnerability is shown in the table embedded below (more information on available software maintenance upgrades can be found here).

Mitigation details including disabling Cisco Discovery Protocol Globally and on an Interface are also available in the advisory for customers who can’t immediately apply the security updates.

 

Cisco IOS XR Software Release First Fixed Release for This Vulnerability
Earlier than 6.6 Appropriate SMU
6.61 6.6.3 or appropriate SMU
7.0 7.0.2 (Mar 2020) or appropriate SMU
7.1 Not vulnerable

 

“The findings of this research are significant as Layer 2 protocols are the underpinning for all networks, and as an attack surface are an under-researched area and yet are the foundation for the practice of network segmentation,” VP of Research at Armis Ben Seri said when the CDPwn vulnerabilities were disclosed.

“Network segmentation is often utilized as a means to provide security. Unfortunately, as this research highlights, the network infrastructure itself is at risk and exploitable by an attacker, so network segmentation is no longer a guaranteed security strategy.”

 

The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.