#VU46126 Resource exhaustion in Cisco ASR 9000 Series Aggregation Services Routers and Cisco IOS XR - CVE-2020-3566
Published: August 29, 2020
Vulnerability identifier: #VU46126
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2020-3566
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Cisco ASR 9000 Series Aggregation Services Routers
Cisco IOS XR
Cisco ASR 9000 Series Aggregation Services Routers
Cisco IOS XR
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient queue management for Internet Group Management Protocol (IGMP) packets in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software. A remote attacker can trigger resource exhaustion by sending crafted IGMP traffic to the affected device and perform a denial of service (DoS) attack.
Note: this vulnerability is being actively exploited in the wild.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.