Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3833.3
Cisco IOS XR Software Enhanced Preboot eXecution Environment
Unsigned Code Execution Vulnerability
18 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XR Software
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-3284
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2
Revision History: November 18 2020: Vendor updated fixed release section
November 6 2020: Vendor issued minor clarifications
November 5 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XR Software Enhanced Preboot eXecution Environment Unsigned Code
Execution Vulnerability
Priority: High
Advisory ID: cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2
First Published: 2020 November 4 16:00 GMT
Last Updated: 2020 November 17 20:46 GMT
Version 1.2: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvi82550 CSCvq23340 CSCvq31064 CSCvu31574
CVE Names: CVE-2020-3284
CWEs: CWE-284
CVSS Score:
8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the enhanced Preboot eXecution Environment (PXE) boot
loader for Cisco IOS XR 64-bit Software could allow an unauthenticated,
remote attacker to execute unsigned code during the PXE boot process on an
affected device. The PXE boot loader is part of the BIOS and runs over the
management interface of hardware platforms that are running Cisco IOS XR
Software only.
The vulnerability exists because internal commands that are issued when the
PXE network boot process is loading a software image are not properly
verified. An attacker could exploit this vulnerability by compromising the
PXE boot server and replacing a valid software image with a malicious one.
Alternatively, the attacker could impersonate the PXE boot server and send
a PXE boot reply with a malicious file. A successful exploit could allow
the attacker to execute unsigned code on the affected device.
Note: To fix this vulnerability, both the Cisco IOS XR Software and the
BIOS must be upgraded. The BIOS code is included in Cisco IOS XR Software
but might require additional installation steps. For further information,
see the Fixed Software section of this advisory.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices if they are running a vulnerable
release of Cisco IOS XR 64-bit Software and the following conditions are
met:
The product ID (PID) of the device matches one of the PIDs listed in
the Fixed Software section of this advisory.
The device is running a vulnerable BIOS version.
The device uses PXE for network boot.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the Product ID
To check the PID of a device, use the show inventory raw CLI command. The
following example shows the output of the command for a device that has the
PID NC55-RP:
RP/0/RP0/CPU0:router# show inventory raw
.
.
.
NAME: "0/RP0", DESCR: "NCS 5500 Route Processor"
PID: NC55-RP , VID: V01, SN: SAL1926HRW5
NAME: "0/1/* - cpu", DESCR: "cpu"
PID: , VID: V00, SN: SAD093000JR
NAME: "0/1/* - cpu - 1.6V_P0", DESCR: "Voltage Sensor"
PID: , VID: N/A, SN:
.
.
.
If the PID is listed in one of the tables in the Fixed Software section of
this advisory, then the device may be vulnerable if it is running a
vulnerable BIOS version and is using PXE for network boot.
Determine the BIOS Version
To determine which BIOS version is running on a device, use the show fpd
package CLI command. The following example shows the output for a device
that has the PID A9K-RSP880-LT-TR and is running BIOS version 17.16:
RP/0/RSP0/CPU0:router# show fpd package
Wed Nov 4 21:55:45.713 UTC
======================= ================================================
Field Programmable Device Package
================================================
Card Type FPD Description Type Subtype SW Min Req Min Req
Version SW Vers HW Vers
======================= ========================== ==== ======= =========== ======== =========
ASR-9910-BPID2 Can Bus Ctrl (CBC) BP2 bp cbc 7.105 0.00 0.1
Can Bus Ctrl (CBC) BP2 lc cbc 7.105 0.00 0.1
--------------------------------------------------------------------------------------------------------------------
.
.
.
Can Bus Ctrl (CBC) RSP4 lc cbc 50.01 0.00 0.0
MB CPUCtrl lc fpga2 0.13 0.00 0.0
DBCtrl lc fpga3 0.05 0.00 0.0
DBCtrl lc fpga4 0.04 0.00 0.0
A9K-RSP880-LT-TR DBCtrl lc fpga5 0.04 0.00 0.0
Fsbl lc fsbl 1.103 0.00 0.0
LinuxFW lc lnxfw 1.103 0.00 0.0
ROMMONB RSP4L lc rommon 17.16 0.00 0.0
--------------------------------------------------------------------------------------------------------------------
.
.
.
To determine which BIOS version is running on a Network Convergence System
5500 Series Router, use the show hw-module fpd Bootloader CLI command. The
following example shows the output for a device that has the PID NC55-RP-E
and is running BIOS version 1.20.
RP/0/RP0/CPU0:router#show hw-module fpd Bootloader
Wed Sep 11 18:43:06.989 UTC FPD Versions
=================
Location Card type HWver FPD device ATR Status Running Programd
------------------------------------------------------------------------------
0/5 NC55-MOD-A-S 0.201 Bootloader CURRENT 1.02 1.02
0/6 NC55-24H12F-SE 0.0 Bootloader NEED UPGD 1.11 1.11
0/RP0 NC55-RP-E 1.1 Bootloader CURRENT 1.20 1.20
0/RP1 NC55-RP-E 1.1 Bootloader CURRENT 1.20 1.20
.
.
.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
8000 Series Routers
Carrier Routing System (CRS-X)
IOS Software
IOS XE Software
IOS XR 32-bit Software
IOS XR White box (IOSXRWBD)
IOS XRv 9000 Router
Network Convergence System (NCS) 6000 Series Routers
NX-OS Software
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
UCS B-Series Blade Servers
UCS C-Series M3 Rack Servers - Standalone
UCS C-Series M4 Rack Servers - Standalone
UCS C-Series M5 Rack Servers - Managed
UCS C-Series M5 Rack Servers - Standalone
Details
o PXE is included in the network card of the management interface of routers
that are running Cisco IOS XR Software and is part of the device BIOS. PXE
is used to re-image the system and boot the router in case of boot failure
or in the absence of a valid, bootable partition. PXE acts as a bootloader
and provides the flexibility to choose the image that the system will boot
based on the PID, the serial number, or the management interface MAC
address. PXE downloads an ISO image, which is specified as part of the PXE
reply from a PXE boot server, installs the ISO contents onto the device,
and then transfers control to the installed software image.
PXE must be defined in the DHCP server configuration file. For additional
information, see Boot using iPXE and Boot the Router Using iPXE .
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following tables, the left column lists the PIDs of Cisco products
that may be affected by this vulnerability. The center column lists the
first release of Cisco IOS XR 64-bit Software that includes the fix for
this vulnerability. The right column lists the first version of the BIOS
that includes the fix for this vulnerability.
PIDs that are not shown in these tables are not known to be affected by
this vulnerability. BIOS versions earlier than the first fixed version are
affected by this vulnerability.
A fixed BIOS image must be installed on the device in order to fix this
vulnerability. The BIOS image is not provided in a standalone package but
is embedded in Cisco IOS XR Software. In some cases, the BIOS may not
automatically update when Cisco IOS XR Software is upgraded. To check the
BIOS version, use the show fpd package or show hw-module fpd Bootloader
command, as shown in the Vulnerable Products section. If the BIOS has not
been upgraded to a fixed version, as listed below, see Upgrading
Field-Programmable Device and use the upgrade hw-module location command to
upgrade the BIOS.
ASR 9000 Series Route Switch Processor
Cisco ASR 9000 First Fixed Release of Cisco IOS First Fixed BIOS Version
Series PIDs ^1 XR Software for This for This Vulnerability
Vulnerability
A9K-RSP880-SE 6.5.2 10.65
A9K-RSP880-TR
A99-RP2-SE 6.5.2 14.35
A99-RP2-TR
A99-RSP-SE 6.5.2 16.14
A99-RSP-TR
A9K-RSP880-LT-SE 6.5.2 17.34
A9K-RSP880-LT-TR
ASR-9901-RP 6.5.2 22.20
A99-RP3-SE 6.5.2 30.23
A99-RP3-TR
A9K-RSP5-SE 6.5.2 31.20
A9K-RSP5-TR
1. Some PIDs may apply to devices that can run both the 32-bit and 64-bit
images of Cisco IOS XR Software. Only the 64-bit image is known to be
vulnerable.
Network Convergence System 1000 Series
Cisco NCS 1000 First Fixed Release of Cisco IOS First Fixed BIOS Version
Series PIDs ^1 XR Software for This Vulnerability for This Vulnerability
NCS1001
NCS1002 7.1.1 14.60
NCS1004
1. All PIDs and all permutations of each PID for this device are
vulnerable.
Network Convergence System 540 Routers
Cisco NCS 540 PIDs First Fixed Release of Cisco IOS First Fixed BIOS
XR Software for This Version for This
Vulnerability Vulnerability
N540-12Z20G-SYS-A/
D
N540-24Z8Q2C-M
N540-28Z4C-SYS-A/D
N540-ACC-SYS 7.2.1 1.15
N540X-16Z4G8Q2C-A/
D
N540X-12Z16G-SYS-A
/D
Network Convergence System 560 Routers
Cisco NCS First Fixed Release of Cisco IOS XR First Fixed BIOS Version
560 PIDs Software for This Vulnerability for This Vulnerability
N560-4-SYS
^1 6.6.3 and 7.0.2 0.14
N560-7-SYS
^1
1. All permutations of this PID are vulnerable.
Network Convergence System 5000 Series Routers
Cisco NCS 5000 First Fixed Release of Cisco IOS First Fixed BIOS Version
Series PIDs ^1 XR Software for This Vulnerability for This Vulnerability
NCS5001 7.2.1 1.13
NCS5002
NCS5011 7.2.1 1.14
1. All PIDs and all permutations of each PID for this device are
vulnerable.
Network Convergence System 5500 Series Routers
Cisco NCS 5500 First Fixed Release of Cisco IOS First Fixed BIOS
Series PIDs ^1 XR Software for This Version for This
Vulnerability Vulnerability
NC55-RP 6.6.3 9.30
NC55-RP-E
NCS-5501
NCS-5501-SE 6.6.3 1.21
NCS-5502
NCS-5502-SE
NCS-55A2-MOD-S
NCS-55A2-MOD-HD-S
NCS-55A2-MOD-HX-S
NCS-55A2-MOD-SE-S
NCS-55A2-MOD-SE-H-S 6.6.3 1.12
NCS-55A1-36H-SE-S
NCS-55A1-36H-S
NCS-55A1-24H
NCS55-A1-48Q6H
NCS-55A1-24Q6H-S
1. NC55-RP2-E is not vulnerable.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Martin Ramsdale of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2
Revision History
o +---------+---------------------------+------------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+---------------------------+------------+--------+-------------+
| 1.2 | Removed 6.6.25 as a fixed | Fixed | Final | 2020-NOV-17 |
| | release. | Releases | | |
+---------+---------------------------+------------+--------+-------------+
| | Clarified the first | | | |
| | vulnerable release and | Vulnerable | | |
| 1.1 | added the show fpd | Products, | Final | 2020-NOV-04 |
| | package command to | Fixed | | |
| | determine the BIOS | Releases | | |
| | version. | | | |
+---------+---------------------------+------------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-04 |
+---------+---------------------------+------------+--------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX7RxueNLKJtyKPYoAQh+4Q//dDknr+PBwVGkyUJvRDWRK+mBXkstx3yF
biEn5h0SZS+d99VFierLt4JrEmLuAnue2KzqsFpMpJa8rKQqkjZKVs8XVq6y+Jq+
Nd5whu4MyFRyDvk+w/oI6rRtGnIwMP54hNRUwHQU+yaJ3K/1oEwk9q7+XDiMqUmM
9Kl5OeDmjPKAAQVh8EJh1hcQ1WJHe2nGO6R8R48HfnGr7cI9HGoL4wNcieZ9n1lG
sgfdCe9BR1MOyfifulwTNW1hAe2WfjyCnv5EFI1jnqWu1vp/yw3L0NIIfuG98ydL
YCx/gsCCBu6QR9VL6EVZrB3wN9PkUN7pkZOQ9znp+CDlCDLNddmc6Ixlu69RomEi
FRC5JyEseHE4MemaXgbJMYN+EqX3tlXuqXz56SzO4zVy3DNwwLB1eq7mkgnMnBrs
kPyyQV5W+FCZs8zzKqU7J+eBqGbpBL73jSbpgtr5qaWGYUHbMGDc/n2X4TLBTo8y
diVEh9L60V21N8wzmrx9HHHySczf0vt5u09kCmNEDuLfCs8BuGANUqNSan3CHZqw
P08ClPBCEpqM8DGc3Bm+euWlL05vzxpRNj1ZHsPhSXVnX1/yEE1yDgeATHptCt8+
pFkcSS8ZcBC68BkZuezZOlye2Ymjhjm2qY+8EBQiGXoyRhAeaGBn8+g61vpF+aW8
uKoYjSS+rjc=
=bs6h
-----END PGP SIGNATURE-----