-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.1331.2
                  Cisco IOS XR receives security updates
                                6 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco IOS XR
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service   -- Remote/Unauthenticated
                   Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1712 CVE-2019-1711 CVE-2019-1710

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-iosxr-pim-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-ios-xr-dos

Revision History:  May    6 2019: Added mitigation for cisco-sa-20190417-iosxr-pim-dos
                   April 18 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco IOS XR 64-Bit Software for Cisco ASR 9000 Series Aggregation Services
Routers Network Isolation Vulnerability

Priority:        Critical

Advisory ID:     cisco-sa-20190417-asr9k-exr

First Published: 2019 April 17 16:00 GMT

Version 1.0:     Final

Workarounds:     YesCisco Bug IDs:   CSCvn56004

CVE-2019-1710

CWE-20

CVSS Score:
9.8  AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the sysadmin virtual machine (VM) on Cisco ASR 9000
    Series Aggregation Services Routers running Cisco IOS XR 64-bit Software
    could allow an unauthenticated, remote attacker to access internal
    applications running on the sysadmin VM.

    The vulnerability is due to incorrect isolation of the secondary management
    interface from internal sysadmin applications. An attacker could exploit
    this vulnerability by connecting to one of the listening internal
    applications. A successful exploit could result in unstable conditions,
    including both a denial of service and remote unauthenticated access to the
    device.

    Cisco has released software updates that address this vulnerability. There
    are workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco ASR 9000 Series Aggregation Services
    Routers that are running an affected version of Cisco IOS XR 64-bit
    Software and have the secondary management interface (physically MGT LAN 1
    on the route switch processor (RSP)) connected and configured. To determine
    if the secondary management interface is connected, log in to the sysadmin
    virtual machine and use the show interface command. If the secondary
    management interface is configured and connected, the device is vulnerable
    as shown in the following example (in dual route switch processor/route
    processor (RSP/RP) systems, check both active and standby RSP/RP):

        sysadmin-vm:0_RSP1:eXR# show interface
        Tue Mar  19 19:32:00.839 UTC
        MgmtEth0/RSP1/0/0  Link encap: Ethernet  HWaddr 08:96:ad:22:7a:31
          inet  addr: 192.168.0.1
          UP RUNNING BROADCAST MULTICAST   MTU:1500  Metric:1
          RX packets:      14093 errors:0 dropped:1 overruns:0   frame:0
          TX packets:         49 errors:0 dropped:0 overruns:0 carrier:0
                                 collisions:0 txqueuelen:1000
          RX bytes:                867463  TX bytes:                  6889

        sysadmin-vm:0_RSP1:eXR#

    For more information about which Cisco IOS XR Software releases are
    vulnerable, see the Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco IOS-XR 64
    bit Software running on platforms other than the ASR9000 Series Aggregation
    Services Routers.

Workarounds

  o Customers can perform the following workaround, which is equivalent to
    upgrading to a fixed software release. Although the reload of the sysadmin
    VM is hitless, Cisco recommends performing this change during a maintenance
    window:

    Step 1: Access the sysadmin VM:

        RP/0/RSP1/CPU0:eXR#admin
        Tue Mar 12 22:46:37.110 UTC

        root connected from 127.0.0.1 using console on host

    Step 2: Run bash and edit the calvados_bootstrap.cfg file:

        sysadmin-vm:0_RSP1:eXR# run bash
        Tue Mar 12 22:46:44.224 UTC
        bash-4.3# vi /etc/init.d/calvados_bootstrap.cfg

    Step 3: Edit the file by changing:

        #CTRL_VRF=0
        #MGMT_VRF=2

    To:

        CTRL_VRF=0
        MGMT_VRF=2

    Exit the file and save. In dual RSP/RP systems, the edit must be performed
    on both active and standby RSP/RPs.

    Step 4: Reload the sysadmin VM (repeat for both in dual systems):

        sysadmin-vm:0_RSP1:eXR# reload admin location 0/RSP1
        Tue Mar 12 22:49:28.589 UTC
        Reload node  [no,yes] yes
        result Admin VM graceful reload request on 0/RSP1 succeeded.
        sysadmin-vm:0_RSP1:eXR# RP/0/RSP1/CPU0:Mar 12 22:49:34.059 UTC: rmf_svr[402]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :RP-RED-LOST-ADMINNR :DECLARE :0/RSP1/CPU0:

        Confd is down
        RP/0/RSP1/CPU0:eXR#

    Wait till the admin VM returns:

        RP/0/RSP1/CPU0:eXR#0/RSP1/ADMIN0:Mar 12 22:59:30.220 UTC: envmon[3680]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :Power Module redundancy lost :DECLARE :0:
        RP/0/RSP1/CPU0:Mar 12 22:59:33.708 UTC: rmf_svr[402]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :RP-RED-LOST-ADMINNR :CLEAR :0/RSP1/CPU0:

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    This vulnerability has been fixed in Cisco IOS XR 64-bit Software Release
    6.5.3 and 7.0.1, which will edit the calvados_boostrap.cfg file and reload
    the device.

    Cisco will not publish a software maintenance upgrade (SMU) for this
    vulnerability due to the effectiveness of the workaround.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr

Revision History

  o +---------+--------------------------+---------+--------+----------------+
    | Version |       Description        | Section | Status |      Date      |
    +---------+--------------------------+---------+--------+----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-April-17  |
    +---------+--------------------------+---------+--------+----------------+

- --------------------------------------------------------------------------------

Cisco IOS XR Software Protocol Independent Multicast Denial of Service
Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-20190417-iosxr-pim-dos

First Published: 2019 April 17 16:00 GMT

Last Updated:    2019 May 3 19:38 GMT

Version 1.1:     Final

Workarounds:     YesCisco Bug IDs:   CSCvg43676

CVE-2019-1712

CWE-20

CVSS Score:
5.8  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Protocol Independent Multicast (PIM) feature of
    Cisco IOS XR Software could allow an unauthenticated, remote attacker to
    cause the PIM process to restart, resulting in a denial of service
    condition on an affected device.

    The vulnerability is due to the incorrect processing of crafted AutoRP
    packets. An attacker could exploit this vulnerability by sending crafted
    packets to port UDP 496 on a reachable IP address on the device. A
    successful exploit could allow the attacker to cause the PIM process to
    restart.

    There are workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-iosxr-pim-dos

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco IOS XR Software. For information about
    affected software releases, consult the Cisco bug ID(s) at the top of this
    advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o In environments that do not require PIM rendezvous point mappings learned
    through Auto-RP, administrators can disable the feature with the auto-rp
    listen disable configuration command as shown in the following example:

        router pim
        address-family ipv4
          auto-rp listen disable

    After the configuration has been committed, a restart of the PIM process is
    required to disable the listening on UDP port 496. The PIM process can be
    restarted via the process restart pim CLI command.

Fixed Software

  o For information about fixed software releases , consult the Cisco bug ID(s)
    at the top of this advisory.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-iosxr-pim-dos

Revision History

  o +---------+------------------------+-------------+--------+---------------+
    | Version |      Description       |   Section   | Status |     Date      |
    +---------+------------------------+-------------+--------+---------------+
    | 1.1     | Added mitigation.      | Workarounds | Final  | 2019-May-03   |
    +---------+------------------------+-------------+--------+---------------+
    | 1.0     | Initial public         | -           | Final  | 2019-April-17 |
    |         | release.               |             |        |               |
    +---------+------------------------+-------------+--------+---------------+

- --------------------------------------------------------------------------------

Cisco IOS XR gRPC Software Denial of Service Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-20190417-ios-xr-dos

First Published: 2019 April 17 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds availableCisco Bug IDs:   CSCve12615

CVE-2019-1711

CWE-20

CVSS Score:
5.3  AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Event Management Service daemon ( emsd ) of Cisco
    IOS XR Software could allow an unauthenticated, remote attacker to cause a
    denial of service (DoS) condition on an affected device.

    The vulnerability is due to improper handling of gRPC requests. An attacker
    could exploit this vulnerability by repeatedly sending unauthenticated gRPC
    requests to the affected device. A successful exploit could cause the emsd
    process to crash, resulting in a DoS condition.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-ios-xr-dos

Affected Products

  o Vulnerable Products

    The vulnerability affects Cisco IOS XR Software when the gRPC service is
    enabled on the affected device. For information about affected software
    releases, consult the Cisco bug ID(s) at the top of this advisory.

    The following example shows the output of the show running-config | include
    grpc CLI command on a device that has the gRPC service enabled and
    configured:

        Router# show running-config | include grpc
                grpc
                !

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o For information about fixed software releases , consult the Cisco bug ID(s)
    at the top of this advisory.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-ios-xr-dos

Revision History

  o +---------+--------------------------+---------+--------+----------------+
    | Version |       Description        | Section | Status |      Date      |
    +---------+--------------------------+---------+--------+----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-April-17  |
    +---------+--------------------------+---------+--------+----------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXM+KU2aOgq3Tt24GAQjqghAAkfKJE1XHv0/X5SnTxopjk8g5L+yYVann
45L2yadk2Gb4s2zmxRNmvyeegNZudVW5GtSV4/iYbNVPtOrHA7wFfh+ZcL1WWERa
1UtqiLj+RjvqkCrsmni7V07cp+YSJ/k5BPocz5BWqKjkgNjzK7yjLPoz9tP9UwjG
x2TgCvCbFOsoKSV3z1f3//sfi6eMTCZLoWiao/f4nuoZPcV2K0lhwXyAMZeC99Mu
y+riWHnGumsodby/dAgLl1K/zvyUyEGKgIScTtbf0Z0cGHN31uST2kbr0tFYYXq+
5yaUcLRiLJBoR1A5KXLxyOy7wGPEuQk3/1Jj/ntOMWyFwgui9dsonYClGAVY3frV
OIA8qkT8wKAaJIn/RnO1FXacrp7vujqAEsZzGjX+F8kBJQhtdHPzd2ra/vR7Dd/0
/cuPtu8TquJyzc1z/0eaElZkUIN4k5LSMxOBAPD4GLuAyQsw4/5ZWzJO7mDJ7AYs
MYsirU68HogAR0Q3JjdzzTCrjnZ+qpoGFVp7PnIslDY8hbuHa7djRPAQSbgQhhe3
K2bixYyCLtsEn/4RiyBzNGP2Ifbh1WdbynW6nW/Yb1g0UWuYYgXFQMkMcDgPWehH
i/BSPziDFLAsOFnIfJ6MKoXfMef8nraWeD0BhYxff/HSGvaoEBewqJpVyqlIdxq1
A1VRgB9CrJw=
=dvab
-----END PGP SIGNATURE-----