You are currently viewing Cisco IOS XR Zero Day Vulnerability Being Actively Exploited in the Wild

Cisco IOS XR Zero Day Vulnerability Being Actively Exploited in the Wild

  • Post author:
  • Reading time:4 mins read

A medium severity zero-day vulnerability has been found in the health check RPM of Cisco IOS XR – An Internetwork Operating System (IOS) that is shipped with Cisco’s networking equipment. This vulnerability (CVE-2022-20821) allows an unauthenticated, remote attacker to access the Redis instance running within the NOSi container. We have cracked this vulnerability using a vulnerability management tool and assigned it CVE-2022-20821, with a CVSS score of 6.5. Cisco issued an advisory for this vulnerability on Friday.

Cisco’s advisory says, “This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.” Also, a reliable patch management tool can patch these vulnerabilities.


Affected Products In Cisco Zero Day Vulnerability:

This vulnerability CVE-2022-20821 affects Cisco 8000 Series Routers running on the 7.3.3 version of Cisco IOS XR Software and installing the health check RPM.

Checking if the vulnerable version is installed:

The user can identify if they are affected by running the “run docker ps” CLI command. The device is affected if the output contains the name ‘NOSi.’

RP/0/RP0/CPU0:8000#run docker ps
Wed May 18 04:54:52.502 UTC
CONTAINER ID    IMAGE         COMMAND                 CREATED          STATUS       PORTS  NAMES
54307e434f29    nosi:latest   "docker-entrypoint.s…"  9 seconds ago    Up 8 seconds        NOSi
RP/0/RP0/CPU0:8000#

Credit: Cisco advisory


Mitigations To Cisco Zero Day Vulnerability:

Currently, Cisco provides two workarounds for this vulnerability, listed below:
Option 1:- This is the preferred method by Cisco. By disabling health check and explicitly disabling the use-cases.

To effectively disable the health check, enter the following commands exactly as shown:

RP/0/RP0/CPU0:8000(config)#no healthcheck enable 
RP/0/RP0/CPU0:8000(config)#healthcheck use-case asic-reset disable
RP/0/RP0/CPU0:8000(config)#healthcheck use-case packet-drop disable 
RP/0/RP0/CPU0:8000(config)#commit  
RP/0/RP0/CPU0:8000#

Credit: Cisco advisory

Then remove the health check RPM from the device:

RP/0/RP0/CPU0:8000#install package remove xr-healthcheck
Wed May 18 05:00:08.060 UTCInstall remove operation 5.2.2 has started
Install operation will continue in the background
RP/0/RP0/CPU0:8000#
RP/0/RP0/CPU0:8000#install apply restart
Wed May 18 05:01:08.842 UTC
Install apply operation 5.2 has started
Install operation will continue in the background
RP/0/RP0/CPU0:8000#

Credit: Cisco advisory

Option 2:– By blocking 6379, using an Infrastructure Access Control List (iACLs).
The iACL blocks all the unauthorized Redis communication packets on TCP port 6379, allowing only authorized devices. However, the attack can occur through an authorized Redis communication packet(Trusted sources). Apply the iACLs to all source-to-destination interfaces for the configured IP. The user should first give access to required traffic for routing and administrative access before denying the unauthorized traffic.

 ipv4 access-list Infrastructure-ACL-Policy 
 ! 
 !-- The following vulnerability-specific access control entries 
 !-- (ACEs) can drop Redis Database communication packets 
 !
  deny tcp any 192.168.60.0 0.0.0.255 eq 6379
 ! 
 !-- Explicit deny ACE for traffic sent to addresses configured 
 !-- within the infrastructure address space 
 !
  deny ip any 192.168.60.0 0.0.0.255
! 
!-- Permit or deny all other Layer 3 and Layer 4 traffic in 
!-- accordance with existing security policies and configurations 
! 
!-- Apply iACL to interfaces in the ingress direction 
!
interface GigabitEthernet0/0
 ipv4 access-group Infrastructure-ACL-Policy in

Credit: Cisco advisory


Solution to Cisco Zero Day Vulnerability
Cisco has planned software maintenance upgrades (SMUs) for 7.3.3.

Solution to Cisco Zero Day Vulnerability

SanerNow has published security content to detect this vulnerability. Cisco said it will release a patch to address the flaw but has not published a timeline. However, we strongly recommend that you apply the mitigations provided by Cisco and follow security best practices until the patch becomes available.

Share this article