Cisco 8000 Series Routers Flaw Actively Exploited in the wild

0

Cisco Inc., one of the network equipment manufacturing giants on the market, released a security adversary affecting Cisco IOS XR software running in 8000 series routers last Friday.

CVE-IDCVSSWeaknessDescription
CVE-2022-208216.5CWE-200 Exposure of Sensitive Information to an Unauthorized ActorCisco IOS XR Software Health Check Open Port Vulnerability
Vulnerability details

“A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container.” – reported by the cisco adversary team.

Source:cisco.com

Currently, this vulnerability only affects Cisco 8000 Series Routers if they were running a vulnerable release of Cisco IOS XR Software and had the health check RPM installed and active.

Cisco IOS XR ReleaseFirst Fixed Release
7.2 and earlierNot affected
7.3.15, 7.3.16, 7.3.1, and 7.3.2Not affected
7.3.37.3.41
7.4Not affected
7.5.1Not affected
7.5.2Not affected
7.6Not affected
Affected Cisco IOS XR Versions and Fixes, Source: cisco.com

Technical Analysis

The reported vulnerability is present in the Cisco IOS XR software health RPM component and it is by default enabled and opened a TCP port on 6397, to provide remote monitoring functionality. This port is used by the Redis instance, which is running inside the isolated sandbox, to store the device health check details.

An attacker with network access to the devices could exploit this vulnerability by connecting to the Redis instance on the open port. Assuming there is no access control in place, such as lack of ACL. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database.

The good news is that cisco assured its clients that “Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.” In another way, unless the attacker could find a new or old sandboxing escaping vuln. In the same devices, the malicious actor won’t be able to compromise the router devices fully.

Even though the vulnerable Cisco IOS XR software also runs in ASR 9000 series, NCS 5700/5500 series, and NCD 540/560 series routers, as of now, no clear reported exploitation attempts on these devices.

Detections and Mitigations

Execute run docker ps command in CLI and check if the command output returns a docker container with the name NOSi, which means your device is vulnerable.

RP/0/RP0/CPU0:8000#run docker ps
Wed May 18 04:54:52.502 UTC
CONTAINER ID    IMAGE         COMMAND                 CREATED          STATUS       PORTS  NAMES
54307e434f29    nosi:latest   "docker-entrypoint.s…"  9 seconds ago    Up 8 seconds        NOSi
RP/0/RP0/CPU0:8000#

We have 3 ways to mitigate this vulnerability if your organization’s routers are affected.

Option 1: Disable health check and explicitly disable the use cases

Step 1: To effectively disable a health check function

RP/0/RP0/CPU0:8000(config)#no healthcheck enable 
RP/0/RP0/CPU0:8000(config)#healthcheck use-case asic-reset disable
RP/0/RP0/CPU0:8000(config)#healthcheck use-case packet-drop disable 
RP/0/RP0/CPU0:8000(config)#commit  
RP/0/RP0/CPU0:8000#

Step 2:  Remove the health check RPM from the device

RP/0/RP0/CPU0:8000#install package remove xr-healthcheck
Wed May 18 05:00:08.060 UTCInstall remove operation 5.2.2 has started
Install operation will continue in the background
RP/0/RP0/CPU0:8000#
RP/0/RP0/CPU0:8000#install apply restart
Wed May 18 05:01:08.842 UTC
Install apply operation 5.2 has started
Install operation will continue in the background
RP/0/RP0/CPU0:8000#

Option 2: Use an Infrastructure Access Control List (iACLs) to block port 6379.

To exploit this vulnerability, the attacker needs to access the TCP 6397 on the vulnerable device. So, Network or Security Administrators can construct an iACL by explicitly permitting only authorized traffic sent to infrastructure devices following existing security policies and configurations.

For better practices, iACLs should be deployed in the ingress direction on all interfaces to which the IP address has been configured.

Also Read: Threat Actors Abuse Microsoft’s HTML help file to Deliver Malware

Option 3: Update the software version to the latest

During the release of this article, only a fix for vulnerable version 7.3.3 is available, and customers can expect to receive a patch for other vulnerable releases.

References & Credits

Cisco IOS XR Software Health Check Open Port Vulnerability

Note: This article is created solely to educate professionals in the cyber frontline to prepare for the old and new threats.

Previous articleThreat Actors Take Over Unpatched VMware Vulnerabilities to Full System Control
Next articleHow to Detect Raising New XORDDOS Linux Trojan

LEAVE A REPLY

Please enter your comment!
Please enter your name here