Cisco has patched a zero-day flaw in its IOS XR router software that allowed unauthenticated attackers to access Redis instances running in NOSi Docker containers. Several Cisco router platforms, including the NCS 540 and 560, NCS 5500, 8000, and ASR 9000 series routers, use the IOS XR Network OS. During the resolution of a Cisco TAC (Technical Assistance Centre) support case, the flaw (identified as CVE-2022-20821) was detected. "The health check RPM opens TCP port 6379 by default when it is on, which creates this vulnerability. By connecting to the Redis instance on the open port, an attacker might exploit this vulnerability "Cisco elucidated the situation.
An attacker might write to the Redis in-memory database, write arbitrary files to the container filesystem, and obtain information about the Redis database if the exploit is successful." Fortunately, because the Redis instance runs in a sandboxed container, attackers will not be able to remotely execute code or compromise the host system's integrity. While the problem only affects Cisco 8000 Series routers with the health check RPM installed and active, Cisco advised users to patch or apply workarounds to appliances running vulnerable software in an advisory published Friday.
Workarounds available Customers that are unable to install security updates to address the CVE-2022-20821 issue might use workarounds provided by the networking vendor. Admins must disable the health check and remove the health check RPM from susceptible devices for the first workaround. Run docker ps and look for a docker container named NOSi to see if a device is affected. Admins can also employ Infrastructure Access Control Lists (iACLs) to block port 6379, which is the port that attackers would use to access the exposed Redis instance.
Customers should be informed that, due to inherent customer deployment circumstances and limits, any workaround or mitigation performed may have a detrimental impact on the network's functioning or performance. Customers should not implement any workarounds or mitigations without first assessing their applicability and any potential consequences in their particular environment. Cisco had previously patched NFVIS issues that allowed unauthenticated attackers to remotely run commands with root privileges and a Cisco Umbrella Virtual Appliance (VA) bug that allowed remote unauthenticated attackers to steal admin credentials.