External risk intelligence

Cisco IOS XR Network Device Data Access Vulnerability.

CVE advisoryKnown Exploit

CVE-2022-20821

A vulnerability in Cisco IOS XR Software's health check feature could allow unauthorized remote access to an internal Redis database. This exposure may enable attackers to modify data or access information within the containerized environment, posing a risk to data integrity and confidentiality. The impact is contained

2Halo Surface Signal

Information Disclosure

Cisco Ios Xr

External exposure likelihood

Halo Surface Signal score for CVE-2022-20821

The vulnerability affects a Redis instance running within a specialized container (NOSi) on Cisco IOS XR network infrastructure. While it opens a network-accessible port (TCP 6379), these devices are typically managed infrastructure components designed to operate within isolated management networks, not public-facing services.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability within Cisco IOS XR Software's health check feature can expose an internal Redis database to unauthorized remote access. This flaw allows attackers to interact with the Redis instance, potentially leading to unauthorized data modification or information disclosure within the containerized environment. While the vulnerability is contained within a sandbox and does not permit system-level compromise or remote code execution on the host, it could still impact the integrity and confidentiality of data processed by the affected component.

Vulnerable component: Cisco IOS XR health check
Core weakness: Unauthenticated access to Redis
Main business impact: Unauthorized data access or modification

Attack Path

How an attacker could exploit the issue

A vulnerability within Cisco IOS XR Software's health check feature could enable an attacker to access a Redis instance. This occurs because the health check process activates TCP port 6379 by default, making the Redis instance accessible. An attacker could then connect to this open port. Successful exploitation allows the attacker to modify the Redis in-memory database, write files to the container's filesystem, and obtain information about the Redis database. However, the container's sandboxed environment prevents remote code execution or compromise of the host system.

Exposed by activated health check RPM.
Attacker connects to open Redis port.
Attacker modifies database and writes files.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an unauthenticated attacker to access a Redis instance within a container on Cisco IOS XR software. While the attacker can read information, write to the in-memory database, and write arbitrary files to the container's file system, they cannot execute remote code or compromise the host system. The risk is mitigated by the sandboxed nature of the container, limiting the potential impact to the container itself.

Attacker skill level: Low
Required access or conditions: Network access to the affected device.
Business risk or urgency: Low

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability may allow an unauthenticated, remote attacker to access a Redis instance running within a container on Cisco IOS XR Software. This access could permit the attacker to write arbitrary files to the container's filesystem or retrieve information about the Redis database. Exploitation is possible if the health check RPM is activated, which opens TCP port 6379. Given the limited scope of the container, remote code execution or compromise of the host system is not expected.

Identify Cisco IOS XR systems with activated health check RPM.
Restrict network access to TCP port 6379.
Apply vendor updates and monitor for related activity.

Frequently asked questions

What is Cisco IOS XR Software and what is it used for?

Cisco IOS XR is a network operating system used in various Cisco network devices. It powers routers and other networking hardware, managing the flow of data across networks and ensuring reliable internet connectivity for businesses and service providers.

What is CVE-2022-20821 and what type of weakness is it?

CVE-2022-20821 is a vulnerability in Cisco IOS XR's health check feature. It falls under the weakness class CWE-200, meaning it involves exposing information to an unauthorized actor. Specifically, it allows an attacker to access a Redis database running in a container.

How can an attacker exploit the CVE-2022-20821 vulnerability?

An attacker can exploit this vulnerability by connecting to a specific network port (TCP 6379) that is opened by the health check feature when it's activated. No special access or credentials are required, as long as the attacker has network access to the affected device.

Who should be concerned about CVE-2022-20821?

Organizations using Cisco IOS XR software should be aware of this vulnerability. According to Halo Surface Signal analysis, the vulnerability is classified as external because it's reachable over the network. This means systems that are internet-facing or accessible from less trusted internal networks are at a higher risk.

What is the first step to address this vulnerability in Cisco IOS XR?

The initial step for administrators is to identify which Cisco IOS XR systems have the health check RPM feature activated. They should also consider restricting network access to TCP port 6379 on these devices and plan to apply any available updates from Cisco.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.