Cisco warns miscreants are crippling IOS XR network gear over the internet with memory black-holes. No patch yet

Plus: Time to dump that old backdoored ZTE mobile hotspot

5 Reg comments Got Tips?

In brief Cisco has warned hackers are crashing or crippling its networking kit out in the field by black-holing all available memory via specially crafted IGMP packets.

To pull this off, miscreants are exploiting CVE-2020-3566, a vulnerability that can be abused by "an unauthenticated, remote attacker to exhaust process memory of an affected device" running Switchzilla's IOS XR operating system. According to the manufacturer on Saturday:

The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.

"On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild," Switchzilla's advisory on the matter continued. "Cisco will release software updates that address this vulnerability."

As there is no patch available right now, IOS XR users are advised to disable multicast routing on interfaces that don't need it as a simple fix, or implement a rate limiter that increases the time-to-exploitation.

There were a load of other high-severity Cisco security alerts before the weekend, including:

  • CVE-2020-3454: Cisco NX-OS Software Call Home Command Injection Vulnerability
  • CVE-2018-0307: Cisco NX-OS Software CLI Arbitrary Command Injection Vulnerability
  • CVE-2020-3452: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability
  • CVE-2020-3517: Cisco FXOS and NX-OS Software Cisco Fabric Services Denial of Service Vulnerability

Peter Dantini and Patrick Wardle have warned of notarized macOS adware appearing on the internet. That means the operating system won't reject them out of hand when trying to open them. Make sure you get your software from trusted locations, and not from random websites, even if notarized.

SEC Consult warns of unpatched holes in mobile hotspots

The bug-hunters at SEC Consult have unearthed vulnerabilities in an older ZTE mobile hotspot and in stock-market information software Eikon from Thomson Reuters.

In the case of ZTE, the MS910S device is out of support and thus won't be fixed: you'll have to replace it. It contains hard-coded administrator passwords, a buggy Busybox version, and a backdoored web server. In the case of Thomson Reuters, users can elevate their privileges to system-level. After more than a year, it appears Reuters hasn't patched, or confirmed it has patched, the flaw, labeled CVE-2019-10679.

US Democratic Party warned of online honey traps

A recent warning to Democratic Party staffers and supporters cautions that Republicans may be setting honey traps on dating websites to get info from Biden campaigners.

It turns out that clean-cut Republican guy or gal you fancy could be a spy aimed at getting intel from the other side. "We're received reports that opposition groups may be trying to 'sting' or infiltrate Democratic campaigns or organizations through dating sites," the Dems warn. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020