[nsp-sec] FYI - Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability
John Kristoff
jtk at depaul.edu
Sun Aug 30 08:40:28 EDT 2020
On Sun, 30 Aug 2020 04:33:12 +0000
"Dario Ciccarone (dciccaro)" <dciccaro at cisco.com> wrote:
> Always a fine line. Do you have any ideas you would like to share on
> the above ? What would you prefer - (a) a "more generic title which
> makes me read the SA, but may also worry me needlessly" or (b) a
> "more specific title, but which may make me skip reading the SA - and
> I might be affected" ?
Not sure I have a good response to this. I suppose it could have been
reworded to something like "[...] DVMRP over IGMP Memory Exhaustion
Vulnerability.
> As said, we struggle - and we can't write the whole SA on the title,
> so some balance is neeed.
Since something related to IGMP came up with us before, one thing you,
Juniper, and others have already recommended and can remind people
again to do is limit IGMP messages to the route engine from locally
attached hosts only. IGMP messages shouldn't be forwarded by routers,
and in so limiting, that would at least decrease the attack surface to
just locally attached hosts.
John
More information about the nsp-security
mailing list