[German]Cisco has already released critical security updates for its network operating system IOS XR on September 29, 2020. The updates close two vulnerabilities in the products that are classified as critical. It should therefore be patched as soon as possible.
Advertising
Cisco published the information in the security bulletin Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities on September 29, 2020. The security advisory states that the vulnerabilities CVE-2020-3566 and CVE-2020-3569 have been closed.
Multiple vulnerabilities in the Cisco IOS XR Software's Distance Vector Multicast Multicast Routing Protocol (DVMRP) feature could allow an unauthenticated remote attacker to either crash the Internet Group Management Protocol (IGMP) process immediately or consume and eventually crash the available memory. The memory consumption could negatively impact other processes running on the device.
These vulnerabilities are due to incorrect handling of IGMP packets. An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device. Successful exploitation could allow the attacker to immediately crash the IGMP process or deplete memory, which could cause other processes to become unstable. These processes may include internal and external routing protocols.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. For details please refer to the security bulletin linked above. (via)
