[nsp-sec] FYI - Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability

Dario Ciccarone (dciccaro) dciccaro at cisco.com
Mon Aug 31 21:49:13 EDT 2020 

John, inline:

On 8/30/20, 8:40 AM, "John Kristoff" <jtk at depaul.edu> wrote:

    On Sun, 30 Aug 2020 04:33:12 +0000
    "Dario Ciccarone (dciccaro)" <dciccaro at cisco.com> wrote:

    > Always a fine line. Do you have any ideas you would like to share on
    > the above ? What would you prefer - (a) a "more generic title which
    > makes me read the SA, but may also worry me needlessly" or (b) a
    > "more specific title, but which may make me skip reading the SA - and
    > I might be affected" ?

    Not sure I have a good response to this.  I suppose it could have been
    reworded to something like "[...] DVMRP over IGMP Memory Exhaustion
    Vulnerability.

DC> Yes, that's also what we were discussing internally. That ship has sailed, but I'll make sure to write and share something w/ rest of the team for future reference, "best practices" kinda

    > As said, we struggle - and we can't write the whole SA on the title,
    > so some balance is neeed.

    Since something related to IGMP came up with us before, one thing you,
    Juniper, and others have already recommended and can remind people
    again to do is limit IGMP messages to the route engine from locally
    attached hosts only.  IGMP messages shouldn't be forwarded by routers,
    and in so limiting, that would at least decrease the attack surface to
    just locally attached hosts.

DC> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141006-dvmrp ! :)
DC> John, I don't know what your experience is like, but each time we talk to customers (or advanced services folks working w/ customers, or TAC, or) we hear thinks that we just can't compute. "I don't know my infra addresses", "I don't know if this traffic is OK or not on my network", "I am afraid I will break something else", "it is too difficult to implement and maintain", and a gazillion other.
DC> we keep assuming customers know and have proper mechanisms in place to track and block these kind of issues - it isn't always the case. But I know you know __

    John

More information about the nsp-security mailing list