-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.2507
        Cisco IOS XR Software Health Check Open Port Vulnerability
                                23 May 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco IOS XR Software
Publisher:         Cisco Systems
Operating System:  Cisco
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-20821  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK

Comment: CVSS (Max):  6.5 CVE-2022-20821 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
         CVSS Source: Cisco Systems
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco IOS XR Software Health Check Open Port Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-iosxr-redis-ABJyE5xK
First Published: 2022 May 20 16:00 GMT
Version 1.0:     Final
Workarounds:     Yes
Cisco Bug IDs:   CSCwb82689
CVE Names:       CVE-2022-20821
CWEs:            CWE-200

Summary

  o A vulnerability in the health check RPM of Cisco IOS XR Software could
    allow an unauthenticated, remote attacker to access the Redis instance that
    is running within the NOSi container.

    This vulnerability exists because the health check RPM opens TCP port 6379
    by default upon activation. An attacker could exploit this vulnerability by
    connecting to the Redis instance on the open port. A successful exploit
    could allow the attacker to write to the Redis in-memory database, write
    arbitrary files to the container filesystem, and retrieve information about
    the Redis database. Given the configuration of the sandboxed container that
    the Redis instance runs in, a remote attacker would be unable to execute
    remote code or abuse the integrity of the Cisco IOS XR Software host
    system.

    Cisco has released software updates that address this vulnerability. There
    are workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco 8000 Series
    Routers if they were running a vulnerable release of Cisco IOS XR Software
    and had the health check RPM installed and active.

    For information about which Cisco software releases were vulnerable at the
    time of publication, see the Fixed Software section of this advisory. See
    the Details section in the bug ID(s) at the top of this advisory for the
    most complete and current information.

    Determine the Device Configuration

    To determine if the device is in a vulnerable state, issue the run docker
    ps CLI command. If the output returns a docker container with the name
    NOSi, as shown in the following example, the device is considered
    vulnerable:

        RP/0/RP0/CPU0:8000#run docker ps
        Wed May 18 04:54:52.502 UTC
        CONTAINER ID    IMAGE         COMMAND                 CREATED          STATUS       PORTS  NAMES
        54307e434f29    nosi:latest   "docker-entrypoint.s..."  9 seconds ago    Up 8 seconds        NOSi
        RP/0/RP0/CPU0:8000#

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are workarounds that address this vulnerability:

    Option 1: This is the preferred method. Disable health check and explicitly
    disable the use cases.

    To effectively disable health check, enter the following commands exactly
    as shown:

        RP/0/RP0/CPU0:8000(config)#no healthcheck enable 
        RP/0/RP0/CPU0:8000(config)#healthcheck use-case asic-reset disable
        RP/0/RP0/CPU0:8000(config)#healthcheck use-case packet-drop disable 
        RP/0/RP0/CPU0:8000(config)#commit  
        RP/0/RP0/CPU0:8000#

    Then remove the health check RPM from the device:

        RP/0/RP0/CPU0:8000#install package remove xr-healthcheck
        Wed May 18 05:00:08.060 UTCInstall remove operation 5.2.2 has started
        Install operation will continue in the background
        RP/0/RP0/CPU0:8000#
        RP/0/RP0/CPU0:8000#install apply restart
        Wed May 18 05:01:08.842 UTC
        Install apply operation 5.2 has started
        Install operation will continue in the background
        RP/0/RP0/CPU0:8000#

    Option 2: Use an Infrastructure Access Control List (iACLs) to block port
    6379.

    To protect infrastructure devices and minimize the risk, impact, and
    effectiveness of direct infrastructure attacks, administrators are advised
    to deploy infrastructure access control lists (iACLs) to perform policy
    enforcement of traffic sent to infrastructure equipment. Administrators can
    construct an iACL by explicitly permitting only authorized traffic sent to
    infrastructure devices in accordance with existing security policies and
    configurations. For the maximum protection of infrastructure devices,
    deployed iACLs should be applied in the ingress direction on all interfaces
    to which an IP address has been configured. An iACL workaround cannot
    provide complete protection against this vulnerability when the attack
    originates from a trusted source address.

    The iACL policy denies unauthorized Redis communications packets on TCP
    port 6379 that are sent to affected devices. In the following example,
    192.168.60.0/24 is the IP address space that is used by the affected
    devices. Care should be taken to allow required traffic for routing and
    administrative access before denying all unauthorized traffic. Whenever
    possible, infrastructure address space should be distinct from the address
    space used for user and services segments. Using this addressing
    methodology will assist with the construction and deployment of iACLs.

         ipv4 access-list Infrastructure-ACL-Policy
         !
         !-- The following vulnerability-specific access control entries
         !-- (ACEs) can drop Redis Database communication packets
         !
          deny tcp any 192.168.60.0 0.0.0.255 eq 6379
         !
         !-- Explicit deny ACE for traffic sent to addresses configured
         !-- within the infrastructure address space
         !
          deny ip any 192.168.60.0 0.0.0.255
        !
        !-- Permit or deny all other Layer 3 and Layer 4 traffic in
        !-- accordance with existing security policies and configurations
        !
        !-- Apply iACL to interfaces in the ingress direction
        !
        interface GigabitEthernet0/0
         ipv4 access-group Infrastructure-ACL-Policy in

        
    For additional information about iACLs, see Protecting Your Core:
    Infrastructure Protection Access Control Lists .

    While these workarounds have been deployed and were proven successful in a
    test environment, customers should determine the applicability and
    effectiveness in their own environment and under their own use conditions.
    Customers should be aware that any workaround or mitigation that is
    implemented may negatively impact the functionality or performance of their
    network based on intrinsic customer deployment scenarios and limitations.
    Customers should not deploy any workarounds or mitigations before first
    evaluating the applicability to their own environment and any impact to
    such environment.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

                 Cisco IOS XR Release                  First Fixed Release
    7.2 and earlier                                Not affected
    7.3.15, 7.3.16, 7.3.1, and 7.3.2               Not affected
    7.3.3                                          7.3.4 ^1
    7.4                                            Not affected
    7.5.1                                          Not affected
    7.5.2                                          Not affected
    7.6                                            Not affected

    1. An SMU is also planned for 7.3.3.

    The Cisco Product Security Incident Response Team (PSIRT) validates only
    the affected and fixed release information that is documented in this
    advisory.

Exploitation and Public Announcements

  o In May 2022, the Cisco PSIRT became aware of attempted exploitation of this
    vulnerability in the wild. Cisco strongly recommends that customers apply
    suitable workaround or upgrade to a fixed software release to remediate
    this vulnerability.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2022-MAY-20  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYorK1ckNZI30y1K9AQgLpQ/8Cf1iYuGp8fVZ94EatypMbntlk0cNDmGA
x+1+lq8VYVRFkFdASzUvEVilTt6jmOT77iEop+29p8zzH8A65sWFO4CD3DgGN2IU
pqgRe0R0dmruTUKZmTpBeGzqu0F4KzZ4106LRkKKHTzY931i0PUmyPmpZ1j+F6sW
J6Xguky+LTBJRTXxaNoviySxqEOTTRVD80iKgknPXus9kdt99h1RyJ7mNIVNTHZZ
aRw/pueEn0eSga206DnnEl83rlnDOMYaN6VUce+wTggy3ttClVy4Jyyv2sRPWKR/
vW7XtQ/pX1f4csPisl+NDZJDQBL0iUqJubxtrUX8D0kGtx9PfI70I8PuJ1G29atW
m2wN3pBa/1vXbrZ/9l1OOtJmQbCdDdHc44M0gISIK54wUzHK2iWJTU+g4D5xhWQw
ecn8Me2mVThhFAU1VZ16uODjAN5Jv3/zanjKdfq+IhlkWqzlLZ6yZC+OQqizHhaB
PbJmOwvy1k24w7drkziGsAlGV4YeosrNV04uRc9wuD3m/dsixMIOw6VDMVhueoJe
4RRPHN4Br3rQZf2GCqcllx736q1J5zxl1DmUfZwFTc2pkSbOedHXmQxy3fsbMjHF
SwsWDe1edQJZk1YQUWAYNtA+KtrcMxXg4s7JIVXqJWa+4g7ishNyjtSMzqeb6pR9
RtRCU46zHJ4=
=fa1a
-----END PGP SIGNATURE-----