Cisco prompts admins to patch IOS XR zero-day exploited in attacks

Cisco has definitely resolved a zero-day vulnerability in its own IOS XR router software applications that permitted unauthenticated hackers to remotely access Redis instances running in NOSi Docker containers.

The IOS XR Network OS is utilized on multiple Cisco router platforms, including NCS 540 & 560, NCS 5500, 8000, together with ASR 9000 series routers.

The bug (tracked as CVE-2022-20821) was identified in the course of the resolution of a Cisco TAC (Technical Assistance Center) support situation.

Cisco expanined that the indicated vulnerability exists because the health check RPM opens TCP port 6379 by default at the time of activation. An attacker could well manipulate this vulnerability by connecting to the Redis instance on the open port.


They also stated that an effective exploit could quite possibly make it possible for the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and also retrieve related information about the Redis database.

Fortuitously, whether attackers effectively exploit this vulnerability, they will not be able to execute code remotely or spoil the host system's integrity considering that the Redis instance functions in a sandboxed container.

Though the problem just affects Cisco 8000 Series routers where the health check RPM is installed and active, Cisco compelled clients in an advisory distributed Friday to patch or possibly employ workarounds on instruments operating vulnerable software applications.

The company said that I \ in May 2022, the Cisco PSIRT heard of attempted exploitation of this particular vulnerability in the wild.

Cisco firmly advises that users administer appropriate workaround as well as upgrade to a fixed software release to remediate this vulnerability.

Workarounds provided

The networking merchant also delivers workarounds for customers that can not immediately employ security updates to mitigate the CVE-2022-20821 vulnerability.

The original workaround entails admins to turn off the health check as well as remove the health check RPM from vulnerable equipments. To find if a device is affected, you need to issue the run docker ps command and look for a docker container named NOSi.

Admins can similarly utilize an Infrastructure Access Control List (iACLs) to block out port 6379, the port attackers would focus on to gain access to the exposed Redis instance.

Cisco users should understand that any specific workaround or mitigation that is employed may detrimentally impact the functionality or functionality of their network based on intrinsic customer deployment scenarios and limitations.

Buyers should not deploy any workarounds or mitigations before first determining the applicability to their own ecosystem along with any impact to this ecosystem.

In the past, Cisco fixed NFVIS bugs that can permit unauthenticated attackers run commands with root privileges remotely and also a Cisco Umbrella Virtual Appliance (VA) that permitted remote unauthenticated attackers to take admin credentials.