Cisco Inc., one of the network equipment manufacturing giants on the market, released a security adversary affecting Cisco IOS XR software running in 8000 series routers last Friday.
| CVE-ID | CVSS | Weakness | Description |
| CVE-2022-20821 | 6.5 | CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | Cisco IOS XR Software Health Check Open Port Vulnerability |
“A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container.” – reported by the cisco adversary team.
Currently, this vulnerability only affects Cisco 8000 Series Routers if they were running a vulnerable release of Cisco IOS XR Software and had the health check RPM installed and active.
| Cisco IOS XR Release | First Fixed Release |
| 7.2 and earlier | Not affected |
| 7.3.15, 7.3.16, 7.3.1, and 7.3.2 | Not affected |
| 7.3.3 | 7.3.41 |
| 7.4 | Not affected |
| 7.5.1 | Not affected |
| 7.5.2 | Not affected |
| 7.6 | Not affected |
Technical Analysis
The reported vulnerability is present in the Cisco IOS XR software health RPM component and it is by default enabled and opened a TCP port on 6397, to provide remote monitoring functionality. This port is used by the Redis instance, which is running inside the isolated sandbox, to store the device health check details.
An attacker with network access to the devices could exploit this vulnerability by connecting to the Redis instance on the open port. Assuming there is no access control in place, such as lack of ACL. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database.
The good news is that cisco assured its clients that “Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.” In another way, unless the attacker could find a new or old sandboxing escaping vuln. In the same devices, the malicious actor won’t be able to compromise the router devices fully.
Even though the vulnerable Cisco IOS XR software also runs in ASR 9000 series, NCS 5700/5500 series, and NCD 540/560 series routers, as of now, no clear reported exploitation attempts on these devices.
Detections and Mitigations
Execute run docker ps command in CLI and check if the command output returns a docker container with the name NOSi, which means your device is vulnerable.
RP/0/RP0/CPU0:8000#run docker ps
Wed May 18 04:54:52.502 UTC
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
54307e434f29 nosi:latest "docker-entrypoint.s…" 9 seconds ago Up 8 seconds NOSi
RP/0/RP0/CPU0:8000#
We have 3 ways to mitigate this vulnerability if your organization’s routers are affected.
Option 1: Disable health check and explicitly disable the use cases
Step 1: To effectively disable a health check function
RP/0/RP0/CPU0:8000(config)#no healthcheck enable
RP/0/RP0/CPU0:8000(config)#healthcheck use-case asic-reset disable
RP/0/RP0/CPU0:8000(config)#healthcheck use-case packet-drop disable
RP/0/RP0/CPU0:8000(config)#commit
RP/0/RP0/CPU0:8000#
Step 2: Remove the health check RPM from the device
RP/0/RP0/CPU0:8000#install package remove xr-healthcheck
Wed May 18 05:00:08.060 UTCInstall remove operation 5.2.2 has started
Install operation will continue in the background
RP/0/RP0/CPU0:8000#
RP/0/RP0/CPU0:8000#install apply restart
Wed May 18 05:01:08.842 UTC
Install apply operation 5.2 has started
Install operation will continue in the background
RP/0/RP0/CPU0:8000#
Option 2: Use an Infrastructure Access Control List (iACLs) to block port 6379.
To exploit this vulnerability, the attacker needs to access the TCP 6397 on the vulnerable device. So, Network or Security Administrators can construct an iACL by explicitly permitting only authorized traffic sent to infrastructure devices following existing security policies and configurations.
For better practices, iACLs should be deployed in the ingress direction on all interfaces to which the IP address has been configured.
Also Read: Threat Actors Abuse Microsoft’s HTML help file to Deliver Malware
Option 3: Update the software version to the latest
During the release of this article, only a fix for vulnerable version 7.3.3 is available, and customers can expect to receive a patch for other vulnerable releases.
References & Credits
Cisco IOS XR Software Health Check Open Port Vulnerability
Note: This article is created solely to educate professionals in the cyber frontline to prepare for the old and new threats.