Cisco urges admins to patch IOS XR zero-day exploited in attacks

Cisco has addressed a zero-day vulnerability in its IOS XR router software that allowed unauthenticated attackers to remotely access Redis instances running in NOSi Docker containers.

The IOS XR Network OS is deployed on multiple Cisco router platforms, including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.

The bug (tracked as CVE-2022-20821) was discovered during the resolution of a Cisco TAC (Technical Assistance Center) support case.

"This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port," Cisco explained.

"A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database."

Luckily, even if attackers successfully exploit this vulnerability, they will not be able to execute code remotely or compromise the host system's integrity because the Redis instance runs in a sandboxed container.

While the flaw only affects Cisco 8000 Series routers where the health check RPM is installed and active, Cisco urged customers in an advisory published Friday to patch or apply workarounds on appliances running vulnerable software.

"In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild," the company said.

"Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability."

Workarounds available

The networking vendor also provides workarounds for customers who cannot immediately apply security updates to mitigate the CVE-2022-20821 vulnerability.

The first workaround requires admins to disable the health check and remove the health check RPM from vulnerable devices. To find if a device is affected, you need to issue the run docker ps command and look for a docker container named NOSi.

Admins can also use an Infrastructure Access Control List (iACLs) to block port 6379, the port attackers would target to gain access to the exposed Redis instance.

"Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations," Cisco said.

"Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment."

Previously, Cisco fixed NFVIS bugs that can let unauthenticated attackers run commands with root privileges remotely and a Cisco Umbrella Virtual Appliance (VA) that allowed remote unauthenticated attackers to steal admin credentials.