-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2022.1615.2
             Cisco IOS XR Software for ASR 9000 Series Routers
        Lightspeed-Plus Line Cards Denial of Service Vulnerability
                               29 April 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco IOS XR Software
Publisher:         Cisco Systems
Operating System:  Cisco
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-20714  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lsplus-Z6AQEOjk

Comment: CVSS (Max):  8.6 CVE-2022-20714 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
         CVSS Source: Cisco Systems
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Revision History:  April 29 2022: Vendor added vulnerable products
                   April 14 2022: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco IOS XR Software for ASR 9000 Series Routers Lightspeed-Plus Line Cards
Denial of Service Vulnerability

Priority:        High
Advisory ID:     cisco-sa-lsplus-Z6AQEOjk
First Published: 2022 April 13 16:00 GMT
Last Updated:    2022 April 28 21:28 GMT
Version 1.1:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvy48962
CVE Names:       CVE-2022-20714
CWEs:            CWE-126

Summary

  o A vulnerability in the data plane microcode of Lightspeed-Plus line cards
    for Cisco ASR 9000 Series Aggregation Services Routers , ASR 9902 Compact
    High-Performance Routers, and ASR 9903 Compact High-Performance Routers
    could allow an unauthenticated, remote attacker to cause the line card to
    reset.

    This vulnerability is due to the incorrect handling of malformed packets
    that are received on the Lightspeed-Plus line cards. An attacker could
    exploit this vulnerability by sending a crafted IPv4 or IPv6 packet through
    an affected device. A successful exploit could allow the attacker to cause
    the Lightspeed-Plus line card to reset, resulting in a denial of service
    (DoS) condition for any traffic that traverses that line card.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lsplus-Z6AQEOjk

    This advisory is part of the April 2022 release of the Cisco IOS XR
    Software Security Advisory Bundled Publication. For a complete list of the
    advisories and links to them, see Cisco Event Response: April 2022 Cisco
    IOS XR Software Security Advisory Bundled Publication .

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco ASR 9000 Series Aggregation Services
    Routers if they are running a vulnerable release of Cisco IOS XR 64-bit
    Software and have a Lightspeed-Plus-based line card installed.

    This vulnerability also affects the following Cisco products if they are
    running a vulnerable release of Cisco IOS XR 64-bit Software:

       ASR 9902 Compact High-Performance Routers
       ASR 9903 Compact High-Performance Routers

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Determine Which Line Cards are Installed

    To determine which line cards are installed in the device, use the show
    platform CLI command.

    The following line cards are Lightspeed-Plus-based:

       A9K-4HG-FLEX-SE
       A9K-4HG-FLEX-TR
       A9K-8HG-FLEX-SE
       A9K-8HG-FLEX-TR
       A9K-20HG-FLEX-SE
       A9K-20HG-FLEX-TR
       A99-4HG-FLEX-SE
       A99-4HG-FLEX-TR
       A99-10X400GE-X-SE
       A99-10X400GE-X-TR
       A99-32X100GE-X-SE
       A99-32X100GE-X-TR

    For more information about line card type identification, see ASR 9000
    Series Line Card Types .

    Note: The Cisco Lightspeed-Plus list of product identifiers was accurate at
    the time of publication. For specific questions and further clarification
    about a product identifier, contact the Cisco Technical Assistance Center
    (TAC).

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       IOS Software
       IOS XE Software
       IOS XR Platforms not listed in the Vulnerable Products section of this
        advisory
       NX-OS Software

Details

  o When this vulnerability is successfully exploited, logs will show a warning
    message similar to the following:

        npu_server[351]: %PLATFORM-NP-4-HARD_RESET_START : NP0: Performing recovery action for an internal network processor error. (PA2REG.ppe_int1)

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers with service contracts that entitle
    them to regular software updates should obtain security fixes through their
    usual update channels.

    Customers may only install and expect support for software versions and
    feature sets for which they have purchased a license. By installing,
    downloading, accessing, or otherwise using such software upgrades,
    customers agree to follow the terms of the Cisco software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    The Cisco Support and Downloads page on Cisco.com provides information
    about licensing and downloads. This page can also display customer device
    support coverage for customers who use the My Devices tool.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    In the following table(s), the left column lists Cisco software releases.
    The right column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability. Customers are advised to upgrade
    to an appropriate fixed software release as indicated in this section.

    Cisco IOS XR Software First Fixed Release
    Release
    7.0 and earlier       Not vulnerable.
    7.1                   Vulnerable; migrate to a fixed release or apply an
                          SMU or Service Pack.
    7.2                   Not vulnerable; no ASR9K support.
    7.3                   7.3.2
    7.4 and later         Not affected.

    Cisco has released the following SMUs to address this vulnerability.
    Customers who require SMUs for releases that are not listed are advised to
    contact their support organization.

    Cisco IOS XR Software Release     Platform   SMU Name
    7.1.2                             ASR9K-X64  asr9k-x64-7.1.2.CSCvy48962
    7.1.3                             ASR9K-X64  asr9k-x64-7.1.3.CSCvz75757

    Cisco has released the following Service Packs that include the SMU to
    address this vulnerability.

    Cisco IOS XR Software Release      Platform   Service Pack Name
    7.1.2                              ASR9K-X64  asr9k-px-7.1.2.k9-sp1.tar

    The Cisco Product Security Incident Response Team (PSIRT) validates only
    the affected and fixed release information that is documented in this
    advisory.

Exploitation and Public Announcements

  o The Cisco PSIRT is not aware of any public announcements or malicious use
    of the vulnerability that is described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: April 2022 Cisco IOS XR Software Security Advisory
    Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lsplus-Z6AQEOjk

Revision History

  o +---------+-----------------------+----------------+--------+-------------+
    | Version |      Description      |    Section     | Status |    Date     |
    +---------+-----------------------+----------------+--------+-------------+
    | 1.1     | Added vulnerable      | Affected       | Final  | 2022-APR-28 |
    |         | products.             | Products       |        |             |
    +---------+-----------------------+----------------+--------+-------------+
    | 1.0     | Initial public        | -              | Final  | 2022-APR-13 |
    |         | release.              |                |        |             |
    +---------+-----------------------+----------------+--------+-------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYmsgdONLKJtyKPYoAQhM9A/+Ke5iMYzW0aenM0BJ+7e06qwVOYoJdyii
dluyDE7HAoVG3gWrdsNXDyppHx5LaWY35rf8Sj0vcJR97MBCjbzk6ZrYm+ccN9Y8
Ih49NAADUVWk5/aVX8xaUGmiQ9j1ieaSTYBCcE9qIxWTi4y/jotyZepe5pBsGY8i
O67/Ag8nyPcKS2yHbz0HfBaqw2JqifchaIWgNSmul8WobNtvf/pX9N/IqqrYfwkD
Yh5KaCz4wXOsinb7Whw1/KaxuslGUU930RWIEF5CacF0tPOEDFj6RO8yuh+JutM0
HE5UytXLOKHyWagzLYxkLdAl8XO18iIRoY/6lB9efEp7ixUiR2S6aS3nltcT9enL
94R6HG0qwpPa2Aeku84sIocM85PJtHDxiAwyarBlUruC8xE6VGS0KMzOCabezTbP
yNPQauCk8yWH1Uy6Q46mRO70VorAfvdb/9TmwKdw3e3ofXV8UyCErIX4DyCW1hiJ
i9YC5MxvUWBMA8LL7kXjsdrJyGlyzEPFZhSirkRyoqPlBHSTVm+zWwojMGIKNhyz
j9vEKRGrbPYeXv7hx9d0RZ6+kprdBgasd7FrjCHsPrd5j9tUhQS3hkiOd1hsFIDo
OYs3j4eMgVNwRIFcy7EdfcIV60e46LMqc8lWhpJZdYFzCw7WShDpd1WprDbC6k/1
RlujXualY7g=
=M5if
-----END PGP SIGNATURE-----