Cisco is warning of attacks actively exploiting the CVE-2020-3118 vulnerability found to affect carrier-grade routers running the Cisco IOS XR Software. The issue resides in the implementation of the Cisco Discovery Protocol for Cisco IOS XR Software and could allow an unauthenticated attacker to execute arbitrary code on the device. While Cisco has released a patch for this vulnerability back in February of 2020, new research has shown that the use of this vulnerability is prevalent among nation-state actors in gaining access to an organization.
This vulnerability is due to improper validation of string input from select fields in the Cisco Discovery Protocol messages. The Cisco Discovery Protocol is a Layer 2 protocol that is used to share information about Cisco equipment, including the operating system and IP address. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected de-vice. A successful exploit could allow the attacker to cause a stack overflow, which could enable the attacker to execute arbitrary code with administrative privileges on an affected device. The affected Cisco routing platforms include the Network Convergence System (NCS) 540, NCS 560, NCS 5500, 8000, and ASR 9000 series routers. The vulnerability also affects third-party white box routers and Cisco products with the Cisco Discovery Protocol enabled both on at least one interface and globally. Those devices include ASR 9000 Series Aggregation Services Routers, Carrier Routing System (CRS), IOS XRv 9000 Router, as well as the NCS 1000 Series, 5000 Series, and 6000 Series routers.
In October 2020, the Cisco Product Security Incident Response Team (PSIRT) released an updated advisory that detailed reports of an attempted exploitation of this vulnerability in the wild. In addition, the U.S. National Security Agency (NSA) included the CVE-2020-3118 vulnerability among 25 security vulnerabilities currently targeted or exploited by Chinese state-sponsored threat actors. “The findings of this research are significant as Layer 2 protocols are the under-pinning for all networks, and as an attack surface are an under-researched area and yet are the foundation for the practice of network segmentation,” VP of Research at Armis, Ben Seri said.
As stated, Cisco fixed the CVE-2020-3118 vulnerability back in February of 2020. System administrators should look to see if any of their devices are susceptible to this vulnerability and update them immediately. Cisco also provides administrators with workarounds if they are not able to immediately patch these devices.