You are currently viewing Cisco IOS XR Zero Day Vulnerability Being Actively Exploited in the Wild

Cisco IOS XR Zero Day Vulnerability Being Actively Exploited in the Wild

A medium severity zero-day vulnerability has been found in the health check RPM of Cisco IOS XR – An Internetwork Operating System (IOS) that is shipped with Cisco’s networking equipment. This vulnerability allows an unauthenticated, remote attacker to gain access to the Redis instance running within the NOSi container. This vulnerability has been tracked as CVE-2022-20821, having a CVSS score of 6.5. Cisco issued an advisory for this vulnerability on Friday.

According to Cisco’s advisory: “This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.”

Affected Products

This vulnerability affects Cisco 8000 Series Routers running on the 7.3.3 version of Cisco IOS XR Software and installing the health check RPM.

Checking if the vulnerable version is installed:

The user can identify if they are affected by running the “run docker ps” CLI command. The output contains the name NOSi when the device is affected.

RP/0/RP0/CPU0:8000#run docker ps
Wed May 18 04:54:52.502 UTC
CONTAINER ID    IMAGE         COMMAND                 CREATED          STATUS       PORTS  NAMES
54307e434f29    nosi:latest   "docker-entrypoint.s…"  9 seconds ago    Up 8 seconds        NOSi

Credit: Cisco advisory


Cisco currently provides two workarounds for this vulnerability that are listed below:
Option 1:- This is the preferred method by Cisco. By disabling health check and explicitly disabling the use-cases.

To effectively disable the health check, enter the following commands exactly as shown:

RP/0/RP0/CPU0:8000(config)#no healthcheck enable 
RP/0/RP0/CPU0:8000(config)#healthcheck use-case asic-reset disable
RP/0/RP0/CPU0:8000(config)#healthcheck use-case packet-drop disable 

Credit: Cisco advisory

Then remove the health check RPM from the device:

RP/0/RP0/CPU0:8000#install package remove xr-healthcheck
Wed May 18 05:00:08.060 UTCInstall remove operation 5.2.2 has started
Install operation will continue in the background
RP/0/RP0/CPU0:8000#install apply restart
Wed May 18 05:01:08.842 UTC
Install apply operation 5.2 has started
Install operation will continue in the background

Credit: Cisco advisory

Option 2:– By blocking 6379, using an Infrastructure Access Control List (iACLs).
The iACL blocks all the unauthorized Redis communication packets on TCP port 6379, allowing only authorized devices. However, the attack can occur through an authorized Redis communication packet(Trusted sources). The iACLs should be applied in all the source to destination interfaces to the configured IP. The user should first give access to required traffic for routing and administrative access before denying the unauthorized traffic.

 ipv4 access-list Infrastructure-ACL-Policy 
 !-- The following vulnerability-specific access control entries 
 !-- (ACEs) can drop Redis Database communication packets 
  deny tcp any eq 6379
 !-- Explicit deny ACE for traffic sent to addresses configured 
 !-- within the infrastructure address space 
  deny ip any
!-- Permit or deny all other Layer 3 and Layer 4 traffic in 
!-- accordance with existing security policies and configurations 
!-- Apply iACL to interfaces in the ingress direction 
interface GigabitEthernet0/0
 ipv4 access-group Infrastructure-ACL-Policy in

Credit: Cisco advisory

Cisco has planned software maintenance upgrades (SMUs) for 7.3.3.


SanerNow security content has been published to detect this vulnerability. Cisco said it will release a patch to address the flaw but has not published a timeline. However, there are mitigations available for this, we strongly recommend applying the mitigations provided by Cisco and following security best practices until the patch is made available.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments