Cisco today warned of some attacks actively targeting the CVE-2020-3118 high-severity vulnerability, which has been found to affect many routers using the company's Cisco IOS XR software.
IOS XR Network OS is deployed on various Cisco routers, including NCS 540 & 560, NCS 5500, 8000 and ASR 9000 routers.
Vulnerability affects third-party white box routers and the following Cisco products if they are running vulnerable versions of Cisco IOS XR software and have enabled Cisco Discovery (both in at least one interface and globally):
- Services Routers Series ASR 9000
- Carrier Routing System (CRS)
- Router IOS XRv 9000
- (NCS) 540 Series Routers
- (NCS) 560 Series Routers
- (NCS) 1000 Series Routers
- (NCS) 5000 Series Routers
- (NCS) 5500 Series Routers
- (NCS) 6000 Series Routers
The attacks began in October
"In October 2020, the Cisco Product Safety Response Team (PSIRT) received reports of some attempts exploitation of this vulnerability ", reports the updated advisory.
“Cisco recommends that customers upgrade to a stable version of Cisco IOS XR software for restoration of this vulnerability. ”
Today, the US National Security Agency (NSA) also included CVE-2020-3118 among the 25 vulnerabilities currently targeted or exploited by Chinese state threat agents.
Intruders could exploit the vulnerability by sending a malicious Cisco Discovery Protocol package to Appliances running a vulnerable version of IOS XR.
Successful exploitation could allow intruders to cause stack overflow that could lead to arbitrary execution code with administrator privileges on the target device.
Fortunately, although this Cisco Discovery Protocol Format String Vulnerability could lead to remote code execution, it can only be used by unauthorized intruders in the same "broadcast domain" as vulnerable devices.
Security updates are available
Cisco fixed security flaw CVE-2020-3118 in February 2020, along with four other serious vulnerabilities discovered by security firm IoT Armis and collectively named CDPwn.
The current status of the versions that come with this vulnerability is shown in the table below (more information on available software upgrades can be found here).