Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3833.3 Cisco IOS XR Software Enhanced Preboot eXecution Environment Unsigned Code Execution Vulnerability 18 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XR Software Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-3284 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2 Revision History: November 18 2020: Vendor updated fixed release section November 6 2020: Vendor issued minor clarifications November 5 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XR Software Enhanced Preboot eXecution Environment Unsigned Code Execution Vulnerability Priority: High Advisory ID: cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2 First Published: 2020 November 4 16:00 GMT Last Updated: 2020 November 17 20:46 GMT Version 1.2: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi82550 CSCvq23340 CSCvq31064 CSCvu31574 CVE Names: CVE-2020-3284 CWEs: CWE-284 CVSS Score: 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the enhanced Preboot eXecution Environment (PXE) boot loader for Cisco IOS XR 64-bit Software could allow an unauthenticated, remote attacker to execute unsigned code during the PXE boot process on an affected device. The PXE boot loader is part of the BIOS and runs over the management interface of hardware platforms that are running Cisco IOS XR Software only. The vulnerability exists because internal commands that are issued when the PXE network boot process is loading a software image are not properly verified. An attacker could exploit this vulnerability by compromising the PXE boot server and replacing a valid software image with a malicious one. Alternatively, the attacker could impersonate the PXE boot server and send a PXE boot reply with a malicious file. A successful exploit could allow the attacker to execute unsigned code on the affected device. Note: To fix this vulnerability, both the Cisco IOS XR Software and the BIOS must be upgraded. The BIOS code is included in Cisco IOS XR Software but might require additional installation steps. For further information, see the Fixed Software section of this advisory. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2 Affected Products o Vulnerable Products This vulnerability affects Cisco devices if they are running a vulnerable release of Cisco IOS XR 64-bit Software and the following conditions are met: The product ID (PID) of the device matches one of the PIDs listed in the Fixed Software section of this advisory. The device is running a vulnerable BIOS version. The device uses PXE for network boot. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the Product ID To check the PID of a device, use the show inventory raw CLI command. The following example shows the output of the command for a device that has the PID NC55-RP: RP/0/RP0/CPU0:router# show inventory raw . . . NAME: "0/RP0", DESCR: "NCS 5500 Route Processor" PID: NC55-RP , VID: V01, SN: SAL1926HRW5 NAME: "0/1/* - cpu", DESCR: "cpu" PID: , VID: V00, SN: SAD093000JR NAME: "0/1/* - cpu - 1.6V_P0", DESCR: "Voltage Sensor" PID: , VID: N/A, SN: . . . If the PID is listed in one of the tables in the Fixed Software section of this advisory, then the device may be vulnerable if it is running a vulnerable BIOS version and is using PXE for network boot. Determine the BIOS Version To determine which BIOS version is running on a device, use the show fpd package CLI command. The following example shows the output for a device that has the PID A9K-RSP880-LT-TR and is running BIOS version 17.16: RP/0/RSP0/CPU0:router# show fpd package Wed Nov 4 21:55:45.713 UTC ======================= ================================================ Field Programmable Device Package ================================================ Card Type FPD Description Type Subtype SW Min Req Min Req Version SW Vers HW Vers ======================= ========================== ==== ======= =========== ======== ========= ASR-9910-BPID2 Can Bus Ctrl (CBC) BP2 bp cbc 7.105 0.00 0.1 Can Bus Ctrl (CBC) BP2 lc cbc 7.105 0.00 0.1 -------------------------------------------------------------------------------------------------------------------- . . . Can Bus Ctrl (CBC) RSP4 lc cbc 50.01 0.00 0.0 MB CPUCtrl lc fpga2 0.13 0.00 0.0 DBCtrl lc fpga3 0.05 0.00 0.0 DBCtrl lc fpga4 0.04 0.00 0.0 A9K-RSP880-LT-TR DBCtrl lc fpga5 0.04 0.00 0.0 Fsbl lc fsbl 1.103 0.00 0.0 LinuxFW lc lnxfw 1.103 0.00 0.0 ROMMONB RSP4L lc rommon 17.16 0.00 0.0 -------------------------------------------------------------------------------------------------------------------- . . . To determine which BIOS version is running on a Network Convergence System 5500 Series Router, use the show hw-module fpd Bootloader CLI command. The following example shows the output for a device that has the PID NC55-RP-E and is running BIOS version 1.20. RP/0/RP0/CPU0:router#show hw-module fpd Bootloader Wed Sep 11 18:43:06.989 UTC FPD Versions ================= Location Card type HWver FPD device ATR Status Running Programd ------------------------------------------------------------------------------ 0/5 NC55-MOD-A-S 0.201 Bootloader CURRENT 1.02 1.02 0/6 NC55-24H12F-SE 0.0 Bootloader NEED UPGD 1.11 1.11 0/RP0 NC55-RP-E 1.1 Bootloader CURRENT 1.20 1.20 0/RP1 NC55-RP-E 1.1 Bootloader CURRENT 1.20 1.20 . . . Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: 8000 Series Routers Carrier Routing System (CRS-X) IOS Software IOS XE Software IOS XR 32-bit Software IOS XR White box (IOSXRWBD) IOS XRv 9000 Router Network Convergence System (NCS) 6000 Series Routers NX-OS Software UCS 6200 Series Fabric Interconnects UCS 6300 Series Fabric Interconnects UCS 6400 Series Fabric Interconnects UCS B-Series Blade Servers UCS C-Series M3 Rack Servers - Standalone UCS C-Series M4 Rack Servers - Standalone UCS C-Series M5 Rack Servers - Managed UCS C-Series M5 Rack Servers - Standalone Details o PXE is included in the network card of the management interface of routers that are running Cisco IOS XR Software and is part of the device BIOS. PXE is used to re-image the system and boot the router in case of boot failure or in the absence of a valid, bootable partition. PXE acts as a bootloader and provides the flexibility to choose the image that the system will boot based on the PID, the serial number, or the management interface MAC address. PXE downloads an ISO image, which is specified as part of the PXE reply from a PXE boot server, installs the ISO contents onto the device, and then transfers control to the installed software image. PXE must be defined in the DHCP server configuration file. For additional information, see Boot using iPXE and Boot the Router Using iPXE . Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following tables, the left column lists the PIDs of Cisco products that may be affected by this vulnerability. The center column lists the first release of Cisco IOS XR 64-bit Software that includes the fix for this vulnerability. The right column lists the first version of the BIOS that includes the fix for this vulnerability. PIDs that are not shown in these tables are not known to be affected by this vulnerability. BIOS versions earlier than the first fixed version are affected by this vulnerability. A fixed BIOS image must be installed on the device in order to fix this vulnerability. The BIOS image is not provided in a standalone package but is embedded in Cisco IOS XR Software. In some cases, the BIOS may not automatically update when Cisco IOS XR Software is upgraded. To check the BIOS version, use the show fpd package or show hw-module fpd Bootloader command, as shown in the Vulnerable Products section. If the BIOS has not been upgraded to a fixed version, as listed below, see Upgrading Field-Programmable Device and use the upgrade hw-module location command to upgrade the BIOS. ASR 9000 Series Route Switch Processor Cisco ASR 9000 First Fixed Release of Cisco IOS First Fixed BIOS Version Series PIDs ^1 XR Software for This for This Vulnerability Vulnerability A9K-RSP880-SE 6.5.2 10.65 A9K-RSP880-TR A99-RP2-SE 6.5.2 14.35 A99-RP2-TR A99-RSP-SE 6.5.2 16.14 A99-RSP-TR A9K-RSP880-LT-SE 6.5.2 17.34 A9K-RSP880-LT-TR ASR-9901-RP 6.5.2 22.20 A99-RP3-SE 6.5.2 30.23 A99-RP3-TR A9K-RSP5-SE 6.5.2 31.20 A9K-RSP5-TR 1. Some PIDs may apply to devices that can run both the 32-bit and 64-bit images of Cisco IOS XR Software. Only the 64-bit image is known to be vulnerable. Network Convergence System 1000 Series Cisco NCS 1000 First Fixed Release of Cisco IOS First Fixed BIOS Version Series PIDs ^1 XR Software for This Vulnerability for This Vulnerability NCS1001 NCS1002 7.1.1 14.60 NCS1004 1. All PIDs and all permutations of each PID for this device are vulnerable. Network Convergence System 540 Routers Cisco NCS 540 PIDs First Fixed Release of Cisco IOS First Fixed BIOS XR Software for This Version for This Vulnerability Vulnerability N540-12Z20G-SYS-A/ D N540-24Z8Q2C-M N540-28Z4C-SYS-A/D N540-ACC-SYS 7.2.1 1.15 N540X-16Z4G8Q2C-A/ D N540X-12Z16G-SYS-A /D Network Convergence System 560 Routers Cisco NCS First Fixed Release of Cisco IOS XR First Fixed BIOS Version 560 PIDs Software for This Vulnerability for This Vulnerability N560-4-SYS ^1 6.6.3 and 7.0.2 0.14 N560-7-SYS ^1 1. All permutations of this PID are vulnerable. Network Convergence System 5000 Series Routers Cisco NCS 5000 First Fixed Release of Cisco IOS First Fixed BIOS Version Series PIDs ^1 XR Software for This Vulnerability for This Vulnerability NCS5001 7.2.1 1.13 NCS5002 NCS5011 7.2.1 1.14 1. All PIDs and all permutations of each PID for this device are vulnerable. Network Convergence System 5500 Series Routers Cisco NCS 5500 First Fixed Release of Cisco IOS First Fixed BIOS Series PIDs ^1 XR Software for This Version for This Vulnerability Vulnerability NC55-RP 6.6.3 9.30 NC55-RP-E NCS-5501 NCS-5501-SE 6.6.3 1.21 NCS-5502 NCS-5502-SE NCS-55A2-MOD-S NCS-55A2-MOD-HD-S NCS-55A2-MOD-HX-S NCS-55A2-MOD-SE-S NCS-55A2-MOD-SE-H-S 6.6.3 1.12 NCS-55A1-36H-SE-S NCS-55A1-36H-S NCS-55A1-24H NCS55-A1-48Q6H NCS-55A1-24Q6H-S 1. NC55-RP2-E is not vulnerable. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found by Martin Ramsdale of Cisco during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2 Revision History o +---------+---------------------------+------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+---------------------------+------------+--------+-------------+ | 1.2 | Removed 6.6.25 as a fixed | Fixed | Final | 2020-NOV-17 | | | release. | Releases | | | +---------+---------------------------+------------+--------+-------------+ | | Clarified the first | | | | | | vulnerable release and | Vulnerable | | | | 1.1 | added the show fpd | Products, | Final | 2020-NOV-04 | | | package command to | Fixed | | | | | determine the BIOS | Releases | | | | | version. | | | | +---------+---------------------------+------------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2020-NOV-04 | +---------+---------------------------+------------+--------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX7RxueNLKJtyKPYoAQh+4Q//dDknr+PBwVGkyUJvRDWRK+mBXkstx3yF biEn5h0SZS+d99VFierLt4JrEmLuAnue2KzqsFpMpJa8rKQqkjZKVs8XVq6y+Jq+ Nd5whu4MyFRyDvk+w/oI6rRtGnIwMP54hNRUwHQU+yaJ3K/1oEwk9q7+XDiMqUmM 9Kl5OeDmjPKAAQVh8EJh1hcQ1WJHe2nGO6R8R48HfnGr7cI9HGoL4wNcieZ9n1lG sgfdCe9BR1MOyfifulwTNW1hAe2WfjyCnv5EFI1jnqWu1vp/yw3L0NIIfuG98ydL YCx/gsCCBu6QR9VL6EVZrB3wN9PkUN7pkZOQ9znp+CDlCDLNddmc6Ixlu69RomEi FRC5JyEseHE4MemaXgbJMYN+EqX3tlXuqXz56SzO4zVy3DNwwLB1eq7mkgnMnBrs kPyyQV5W+FCZs8zzKqU7J+eBqGbpBL73jSbpgtr5qaWGYUHbMGDc/n2X4TLBTo8y diVEh9L60V21N8wzmrx9HHHySczf0vt5u09kCmNEDuLfCs8BuGANUqNSan3CHZqw P08ClPBCEpqM8DGc3Bm+euWlL05vzxpRNj1ZHsPhSXVnX1/yEE1yDgeATHptCt8+ pFkcSS8ZcBC68BkZuezZOlye2Ymjhjm2qY+8EBQiGXoyRhAeaGBn8+g61vpF+aW8 uKoYjSS+rjc= =bs6h -----END PGP SIGNATURE-----