Cisco warned its customers last weekend that it has become aware of a zero-day vulnerability that it is working to fix by developing a patch. The flaw involves Cisco’s iOS XR Software, an operating system for carrier-grade routers and networking devices used by telecommunications and data-center providers.
According to the advisory, the vulnerability, dubbed CVE-2020-3566, allows the attacker to send maliciously-crafted Internet Group Management Protocol (IGMP) traffic. “[A]n attacker can exploit this vulnerability by sending crafted IGMP traffic to an affected device…A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.”
Cisco rated the severity of the vulnerability “high,” with a Common Vulnerability Scoring System tally of 8.6 out of 10. Although the advisory says that nothing can be done to fix the vulnerability prior to the development of a patch, it provides measures that administrators can take to mitigate the effects. The advisory can be accessed here.