⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-3566 — Uncontrolled Resource Consumption in Cisco IOS XR Software

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling7 documents7 sources

Severity

8.6HIGHNVD

EPSS

2.1%

top 15.76%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Cisco IOS XR Software Cisco IOS XR

Timeline

PublishedAug 29

KEV addedNov 3

KEV dueMay 3

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages2 packages

▶CVEListV5cisco/cisco_ios_xr_softwaren/a

▶NVDcisco/ios_xr6.4.2

🔴Vulnerability Details

GHSA

GHSA-mr9v-hqxh-vq2j: A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote atta↗2022-05-24

▶

CVEList

Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability↗2020-08-29

▶

VulnCheck

Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability↗2020

▶

📋Vendor Advisories

CISA

Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability↗2021-11-03

▶

Cisco

Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities↗2020-08-29

▶