⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-3569Uncontrolled Resource Consumption in Cisco IOS XR

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling7 documents7 sources
Severity
8.6HIGHNVD
EPSS
4.7%
top 10.64%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Cisco IOS XRCisco IOS XR Software
Timeline
PublishedSep 23
KEV addedNov 3
KEV dueMay 3
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

Multiple vulnerabilities in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to either immediately crash the Internet Group Management Protocol (IGMP) process or make it consume available memory and eventually crash. The memory consumption may negatively impact other processes that are running on the device. These vulnerabilities are due to the incorrect handling of IGMP packets. An attacker could exploit thes

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages2 packages

NVDcisco/ios_xr< 6.5.2+11

🔴Vulnerability Details

3
GHSA
GHSA-35gg-5cvh-w445: Multiple vulnerabilities in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, re2022-05-24
CVEList
Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities2020-09-23
VulnCheck
Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability2020

📋Vendor Advisories

2
CISA
Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability2021-11-03
Cisco
Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities2020-08-29
CVE-2020-3569 — Uncontrolled Resource Consumption | cvebase