cvelistv5 - CVE-2022-20821

CVE-2022-20821

Vulnerability from cvelistv5

Published

2022-05-26 14:00

Modified

2024-10-29 16:11

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.

References

▼	URL	Tags
	psirt@cisco.com	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK	Vendor Advisory

Impacted products

	Vendor	Product	Version
	Cisco	Cisco IOS XR Software	Version: n/a

CISA Known exploited vulnerability

Data from the Known Exploited Vulnerabilities Catalog

Date added: 2022-05-23

Due date: 2022-06-13

Required action: Apply updates per vendor instructions.

Used in ransomware: Unknown

Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-20821

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T02:24:49.991Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "20220520 Cisco IOS XR Software Health Check Open Port Vulnerability",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_CISCO",
                     "x_transferred",
                  ],
                  url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-20821",
                        options: [
                           {
                              Exploitation: "active",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-10-29T16:11:07.480784Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
               {
                  other: {
                     content: {
                        dateAdded: "2022-05-23",
                        reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2022-20821",
                     },
                     type: "kev",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-10-29T16:11:35.841Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "Cisco IOS XR Software",
               vendor: "Cisco",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2022-05-20T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.",
            },
         ],
         exploits: [
            {
               lang: "en",
               value: "In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.5,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-200",
                     description: "CWE-200",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-05-26T14:00:31",
            orgId: "d1c1063e-7a18-46af-9102-31f8928bc633",
            shortName: "cisco",
         },
         references: [
            {
               name: "20220520 Cisco IOS XR Software Health Check Open Port Vulnerability",
               tags: [
                  "vendor-advisory",
                  "x_refsource_CISCO",
               ],
               url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK",
            },
         ],
         source: {
            advisory: "cisco-sa-iosxr-redis-ABJyE5xK",
            defect: [
               [
                  "CSCwb82689",
               ],
            ],
            discovery: "INTERNAL",
         },
         title: "Cisco IOS XR Software Health Check Open Port Vulnerability",
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "psirt@cisco.com",
               DATE_PUBLIC: "2022-05-20T23:00:00",
               ID: "CVE-2022-20821",
               STATE: "PUBLIC",
               TITLE: "Cisco IOS XR Software Health Check Open Port Vulnerability",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "Cisco IOS XR Software",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "Cisco",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.",
                  },
               ],
            },
            exploit: [
               {
                  lang: "en",
                  value: "In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability.",
               },
            ],
            impact: {
               cvss: {
                  baseScore: "6.5",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-200",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "20220520 Cisco IOS XR Software Health Check Open Port Vulnerability",
                     refsource: "CISCO",
                     url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK",
                  },
               ],
            },
            source: {
               advisory: "cisco-sa-iosxr-redis-ABJyE5xK",
               defect: [
                  [
                     "CSCwb82689",
                  ],
               ],
               discovery: "INTERNAL",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "d1c1063e-7a18-46af-9102-31f8928bc633",
      assignerShortName: "cisco",
      cveId: "CVE-2022-20821",
      datePublished: "2022-05-26T14:00:31.613559Z",
      dateReserved: "2021-11-02T00:00:00",
      dateUpdated: "2024-10-29T16:11:35.841Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      cisa_known_exploited: {
         cveID: "CVE-2022-20821",
         cwes: "[\"CWE-923\"]",
         dateAdded: "2022-05-23",
         dueDate: "2022-06-13",
         knownRansomwareCampaignUse: "Unknown",
         notes: "https://nvd.nist.gov/vuln/detail/CVE-2022-20821",
         product: "IOS XR",
         requiredAction: "Apply updates per vendor instructions.",
         shortDescription: "Cisco IOS XR software health check opens TCP port 6379 by default on activation. An attacker can connect to the Redis instance on the open port and allow access to the Redis instance that is running within the NOSi container.",
         vendorProject: "Cisco",
         vulnerabilityName: "Cisco IOS XR Open Port Vulnerability",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2022-20821\",\"sourceIdentifier\":\"psirt@cisco.com\",\"published\":\"2022-05-26T14:15:08.123\",\"lastModified\":\"2025-02-24T15:24:27.177\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en el RPM de comprobación de salud del software Cisco IOS XR podría permitir a un atacante remoto no autenticado acceder a la instancia de Redis que es ejecutado dentro del contenedor NOSi. Esta vulnerabilidad se presenta porque el RPM de comprobación de salud abre el puerto TCP 6379 por defecto al activarse. Un atacante podría explotar esta vulnerabilidad al conectarse a la instancia de Redis en el puerto abierto. Una explotación con éxito podría permitir al atacante escribir en la base de datos en memoria de Redis, escribir archivos arbitrarios en el sistema de archivos del contenedor y recuperar información sobre la base de datos de Redis. Dada la configuración del contenedor con sandbox en el que es ejecutada la instancia de Redis, un atacante remoto no podría ejecutar código remoto ni abusar de la integridad del sistema anfitrión del software Cisco IOS XR\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2022-05-23\",\"cisaActionDue\":\"2022-06-13\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Cisco IOS XR Open Port Vulnerability\",\"weaknesses\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:cisco:ios_xr:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"92587AA0-BDB6-4594-8F14-DC2A91FA4CD6\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:8201:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D8E7FFF-82A8-4ECB-BA0C-CBF0C2FDA3A3\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:8202:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"87DC4C2F-01C5-4D89-8D79-E5D28EDAD0F2\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:8208:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A34DAD43-0C95-4830-8078-EFE3E6C0A930\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:8212:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"46F5CBF0-7F55-44C0-B321-896BDBA22679\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:8218:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D381E343-416F-42AF-A780-D330954F238F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs-55a1-24h:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8D61548-61B4-4B53-8574-9DB92B00A627\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs-55a1-24q6h-s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"74C8E3C6-282B-4394-A077-DF8694F7E55D\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs-55a1-36h-s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4FF08FAF-67DD-4361-947A-40D5938DB8BA\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs-55a1-36h-se:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1CE2AD36-5D52-4489-AAC1-A7AC1B3D2581\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs-55a1-36h-se-s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"14E948CF-9891-4AC8-8734-9C121B611722\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs-55a2-mod-hd-s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A95FEA95-703B-44E0-A7CA-9E38B2EB1980\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs-55a2-mod-hx-s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2D37BF94-9D5F-4A88-8115-3A88FF144845\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs-55a2-mod-s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C33F0D81-1314-440B-9FC2-56D76CA4CD79\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs-55a2-mod-se-h-s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8E50806D-115D-4903-A5B2-62654FFDD9F5\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs-55a2-mod-se-s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"15AE071E-0CEF-4305-A92D-9F4C324BD4ED\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_1001:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F6E0FBE-70B7-413C-8943-39BEFE050298\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_1002:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"37AE5FB0-D9A6-4EBE-9F7F-243299AE918B\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_1004:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60C9AAF8-4C5B-4EF5-B575-8235F3C54BCC\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5001:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E2A8C028-107B-4410-BCC6-5BCB8DB63603\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5002:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DA13FE67-F4AE-46DF-921B-3FB91BDF742B\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5501-se:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B254955-C485-45D7-A19B-E78CE1D997AD\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5502-se:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"50C7B71A-2559-4E90-BAAA-C6FAAFE35FC3\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5504:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6AC4E089-296D-4C19-BF21-DDF2501DD77C\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5508:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"43D21B01-A754-474F-8E46-14D733AB307E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5516:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17D6424C-972F-459C-B8F7-04FFD9F541BC\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_55a1:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B51897CC-4FBF-4C99-BB69-2C528E392FE7\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_55a2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"63ED034E-5A46-44A8-9101-8ACD6D334FF5\"}]}]}],\"references\":[{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK\",\"source\":\"psirt@cisco.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK\", \"name\": \"20220520 Cisco IOS XR Software Health Check Open Port Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T02:24:49.991Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-20821\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-29T16:11:07.480784Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-05-23\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2022-20821\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-29T16:11:32.083Z\"}}], \"cna\": {\"title\": \"Cisco IOS XR Software Health Check Open Port Vulnerability\", \"source\": {\"defect\": [[\"CSCwb82689\"]], \"advisory\": \"cisco-sa-iosxr-redis-ABJyE5xK\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Cisco\", \"product\": \"Cisco IOS XR Software\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"exploits\": [{\"lang\": \"en\", \"value\": \"In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability.\"}], \"datePublic\": \"2022-05-20T00:00:00\", \"references\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK\", \"name\": \"20220520 Cisco IOS XR Software Health Check Open Port Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200\"}]}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2022-05-26T14:00:31\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"version\": \"3.0\", \"baseScore\": \"6.5\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\"}}, \"source\": {\"defect\": [[\"CSCwb82689\"]], \"advisory\": \"cisco-sa-iosxr-redis-ABJyE5xK\", \"discovery\": \"INTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"n/a\"}]}, \"product_name\": \"Cisco IOS XR Software\"}]}, \"vendor_name\": \"Cisco\"}]}}, \"exploit\": [{\"lang\": \"en\", \"value\": \"In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability.\"}], \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK\", \"name\": \"20220520 Cisco IOS XR Software Health Check Open Port Vulnerability\", \"refsource\": \"CISCO\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-200\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-20821\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Cisco IOS XR Software Health Check Open Port Vulnerability\", \"ASSIGNER\": \"psirt@cisco.com\", \"DATE_PUBLIC\": \"2022-05-20T23:00:00\"}}}}",
         cveMetadata: "{\"cveId\": \"CVE-2022-20821\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-29T16:11:35.841Z\", \"dateReserved\": \"2021-11-02T00:00:00\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"datePublished\": \"2022-05-26T14:00:31.613559Z\", \"assignerShortName\": \"cisco\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}

ghsa-6whc-cmc9-99q6

Vulnerability from github

Published

2022-05-27 00:00

Modified

2022-06-08 00:00

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

Show details on source website

JSON

To clipboard

{
   affected: [],
   aliases: [
      "CVE-2022-20821",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-200",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2022-05-26T14:15:00Z",
      severity: "MODERATE",
   },
   details: "A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.",
   id: "GHSA-6whc-cmc9-99q6",
   modified: "2022-06-08T00:00:52Z",
   published: "2022-05-27T00:00:59Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2022-20821",
      },
      {
         type: "WEB",
         url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
         type: "CVSS_V3",
      },
   ],
}

cisco-sa-iosxr-redis-ABJyE5xK

Vulnerability from csaf_cisco

Published

2022-05-20 16:00

Modified

2024-03-15 16:55

Summary

Cisco IOS XR Software Health Check Open Port Vulnerability

Notes

Summary

Vulnerable Products

At the time of publication, this vulnerability affected Cisco 8000 Series Routers if they were running a vulnerable release of Cisco IOS XR Software and had the health check RPM installed and active. For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software ["#fs"] section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Determine the Device Configuration To determine if the device is in a vulnerable state, issue the run docker ps CLI command. If the output returns a docker container with the name NOSi, as shown in the following example, the device is considered vulnerable: RP/0/RP0/CPU0:8000#run docker ps Wed May 18 04:54:52.502 UTC CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 54307e434f29 nosi:latest "docker-entrypoint.s…" 9 seconds ago Up 8 seconds NOSi RP/0/RP0/CPU0:8000#

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.

Workarounds

There are workarounds that address this vulnerability: Option 1: This is the preferred method. Disable health check and explicitly disable the use cases. To effectively disable health check, enter the following commands exactly as shown: RP/0/RP0/CPU0:8000(config)#no healthcheck enable RP/0/RP0/CPU0:8000(config)#healthcheck use-case asic-reset disable RP/0/RP0/CPU0:8000(config)#healthcheck use-case packet-drop disable RP/0/RP0/CPU0:8000(config)#commit RP/0/RP0/CPU0:8000# Then remove the health check RPM from the device: RP/0/RP0/CPU0:8000#install package remove xr-healthcheck Wed May 18 05:00:08.060 UTCInstall remove operation 5.2.2 has started Install operation will continue in the background RP/0/RP0/CPU0:8000# RP/0/RP0/CPU0:8000#install apply restart Wed May 18 05:01:08.842 UTC Install apply operation 5.2 has started Install operation will continue in the background RP/0/RP0/CPU0:8000# RP/0/RP0/CPU0:8000#show install request User request: install apply restart Operation ID: 7.4 State: Success since 2024-02-28 14:06:40 UTC RP/0/RP0/CPU0:8000#install commit RP/0/RP0/CPU0:8000# Option 2: Use an Infrastructure Access Control List (iACLs) to block port 6379. To protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure attacks, administrators are advised to deploy infrastructure access control lists (iACLs) to perform policy enforcement of traffic sent to infrastructure equipment. Administrators can construct an iACL by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. For the maximum protection of infrastructure devices, deployed iACLs should be applied in the ingress direction on all interfaces to which an IP address has been configured. An iACL workaround cannot provide complete protection against this vulnerability when the attack originates from a trusted source address. The iACL policy denies unauthorized Redis communications packets on TCP port 6379 that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices. Care should be taken to allow required traffic for routing and administrative access before denying all unauthorized traffic. Whenever possible, infrastructure address space should be distinct from the address space used for user and services segments. Using this addressing methodology will assist with the construction and deployment of iACLs. ipv4 access-list Infrastructure-ACL-Policy ! !-- The following vulnerability-specific access control entries !-- (ACEs) can drop Redis Database communication packets ! deny tcp any 192.168.60.0 0.0.0.255 eq 6379 ! !-- Explicit deny ACE for traffic sent to addresses configured !-- within the infrastructure address space ! deny ip any 192.168.60.0 0.0.0.255 ! !-- Permit or deny all other Layer 3 and Layer 4 traffic in !-- accordance with existing security policies and configurations ! !-- Apply iACL to interfaces in the ingress direction ! interface GigabitEthernet0/0 ipv4 access-group Infrastructure-ACL-Policy in For additional information about iACLs, see Protecting Your Core: Infrastructure Protection Access Control Lists ["http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml"]. While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Fixed Software

When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Cisco IOS XR Release First Fixed Release 7.2 and earlier Not affected 7.3.15, 7.3.16, 7.3.1, and 7.3.2 Not affected 7.3.3 SMU ID: 8000-7.3.3.CSCwb82689 and 7.3.4 7.4 Not affected 7.5.1 Not affected 7.5.2 Not affected 7.6 Not affected Note: SMU ID: 8000-7.3.3.CSCwb82689 needs to be installed using the following steps; otherwise, the old docker container may still be active and not address this vulnerability. Install SMU ID: 8000-7.3.3.CSCwb82689: RP/0/RP0/CPU0:ios#show install active summary Fri Mar 1 05:46:02.751 UTC Active Packages: XR: 183 All: 1347 Label: 7.3.3 Software Hash: fd6561ecb682a5cd3b7fcc31b6606292 Optional Packages Version ---------------------------------------------------- --------------------------- xr-8000-mcast 7.3.3v1.0.0-1 xr-8000-netflow 7.3.3v1.0.0-1 xr-bgp 7.3.3v1.0.0-1 xr-healthcheck 7.3.3v1.0.1-1 xr-ipsla 7.3.3v1.0.0-1 xr-is-is 7.3.3v1.0.0-1 xr-lldp 7.3.3v1.0.0-1 xr-mcast 7.3.3v1.0.0-1 xr-mpls-oam 7.3.3v1.0.0-1 xr-netflow 7.3.3v1.0.0-1 xr-ospf 7.3.3v1.0.0-1 xr-perfmgmt 7.3.3v1.0.0-1 xr-track 7.3.3v1.0.0-1 Active Fixes (count: 1): CSCwb82689: xr-healthcheck NOSi is still running the old container, which exposes the redis port. [node0_RP0_CPU0:~]$docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f25f8f89bcc1 nosi:latest "docker-entrypoint.s…" 5 minutes ago Up 5 minutes NOSi [node0_RP0_CPU0:~]$docker exec -it NOSi ps x PID TTY STAT TIME COMMAND 10ts/0 Sl 0:00 redis-server 0.0.0.0:6379 Stop and remove the old docker container and remove the old docker image: [node0_RP0_CPU0:~]$docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f25f8f89bcc1 nosi:latest "docker-entrypoint.s…" 7 minutes ago Up 7 minutes NOSi [node0_RP0_CPU0:~]$docker stop NOSi NOSi [node0_RP0_CPU0:~]$docker rm NOSi NOSi [node0_RP0_CPU0:~]$docker images REPOSITORY TAG IMAGE ID CREATED SIZE nosi latest 1dbc91432c6c 2 years ago 840MB [node0_RP0_CPU0:~]$docker image rm 1dbc91432c6c Untagged: nosi:latest Deleted: sha256:1dbc91432c6cde1c00dabf456b6007649af719ea091b3557a333842cdb458b65 . . . Deleted: sha256:87c8a1d8f54f3aa4e05569e8919397b65056aa71cdf48b7f061432c98475eee9 Restart processes: RP/0/RP0/CPU0:ios#process restart appmgr RP/0/RP0/CPU0:ios#process restart hcmgr The NOsi container came up with a new image. [node0_RP0_CPU0:~]$docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c64285f9f2ef nosi:latest "docker-entrypoint.s…" 2 seconds ago Up 1 second NOSi [node0_RP0_CPU0:~]$docker exec -it NOSi ps x PID TTY STAT TIME COMMAND 10 pts/0 Sl 0:00 redis-server *:0 Install commit: RP/0/RP0/CPU0:8000#install commit RP/0/RP0/CPU0:8000# The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Exploitation and Public Announcements

In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability.

Source

This vulnerability was found during the resolution of a Cisco TAC support case.

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

JSON

To clipboard

{
   document: {
      acknowledgments: [
         {
            summary: "This vulnerability was found during the resolution of a Cisco TAC support case.",
         },
      ],
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      notes: [
         {
            category: "summary",
            text: "A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container.\r\n\r\nThis vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.\r\n\r\nCisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.\r\n\r\n",
            title: "Summary",
         },
         {
            category: "general",
            text: "At the time of publication, this vulnerability affected Cisco 8000 Series Routers if they were running a vulnerable release of Cisco IOS XR Software and had the health check RPM installed and active.\r\n\r\nFor information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software [\"#fs\"] section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.\r\n  Determine the Device Configuration\r\nTo determine if the device is in a vulnerable state, issue the run docker ps CLI command. If the output returns a docker container with the name NOSi, as shown in the following example, the device is considered vulnerable:\r\n\r\n\r\nRP/0/RP0/CPU0:8000#run docker ps\r\nWed May 18 04:54:52.502 UTC  CONTAINER ID    IMAGE         COMMAND                 CREATED          STATUS       PORTS  NAMES  54307e434f29    nosi:latest   \"docker-entrypoint.s…\"  9 seconds ago    Up 8 seconds        NOSi  RP/0/RP0/CPU0:8000#",
            title: "Vulnerable Products",
         },
         {
            category: "general",
            text: "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.",
            title: "Products Confirmed Not Vulnerable",
         },
         {
            category: "general",
            text: "There are workarounds that address this vulnerability:\r\n\r\nOption 1: This is the preferred method. Disable health check and explicitly disable the use cases.\r\n\r\nTo effectively disable health check, enter the following commands exactly as shown:\r\n\r\n\r\nRP/0/RP0/CPU0:8000(config)#no healthcheck enable\r\nRP/0/RP0/CPU0:8000(config)#healthcheck use-case asic-reset disable\r\nRP/0/RP0/CPU0:8000(config)#healthcheck use-case packet-drop disable\r\nRP/0/RP0/CPU0:8000(config)#commit\r\nRP/0/RP0/CPU0:8000#\r\n\r\nThen remove the health check RPM from the device:\r\n\r\n\r\nRP/0/RP0/CPU0:8000#install package remove xr-healthcheck\r\nWed May 18 05:00:08.060 UTCInstall remove operation 5.2.2 has started\r\nInstall operation will continue in the background\r\nRP/0/RP0/CPU0:8000#\r\nRP/0/RP0/CPU0:8000#install apply restart\r\nWed May 18 05:01:08.842 UTC\r\nInstall apply operation 5.2 has started\r\nInstall operation will continue in the background\r\nRP/0/RP0/CPU0:8000#\r\nRP/0/RP0/CPU0:8000#show install request\r\nUser request: install apply restart\r\nOperation ID: 7.4\r\nState:        Success since 2024-02-28 14:06:40 UTC\r\nRP/0/RP0/CPU0:8000#install commit\r\nRP/0/RP0/CPU0:8000#\r\n\r\n\r\nOption 2: Use an Infrastructure Access Control List (iACLs) to block port 6379.\r\n\r\nTo protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure attacks, administrators are advised to deploy infrastructure access control lists (iACLs) to perform policy enforcement of traffic sent to infrastructure equipment. Administrators can construct an iACL by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. For the maximum protection of infrastructure devices, deployed iACLs should be applied in the ingress direction on all interfaces to which an IP address has been configured. An iACL workaround cannot provide complete protection against this vulnerability when the attack originates from a trusted source address.\r\n\r\nThe iACL policy denies unauthorized Redis communications packets on TCP port 6379 that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices. Care should be taken to allow required traffic for routing and administrative access before denying all unauthorized traffic. Whenever possible, infrastructure address space should be distinct from the address space used for user and services segments. Using this addressing methodology will assist with the construction and deployment of iACLs.\r\n\r\n\r\n ipv4 access-list Infrastructure-ACL-Policy\r\n !    !-- The following vulnerability-specific access control entries    !-- (ACEs) can drop Redis Database communication packets    !    deny tcp any 192.168.60.0 0.0.0.255 eq 6379   !    !-- Explicit deny ACE for traffic sent to addresses configured    !-- within the infrastructure address space    !    deny ip any 192.168.60.0 0.0.0.255  !   !-- Permit or deny all other Layer 3 and Layer 4 traffic in   !-- accordance with existing security policies and configurations   !   !-- Apply iACL to interfaces in the ingress direction\r\n!  interface GigabitEthernet0/0   ipv4 access-group Infrastructure-ACL-Policy in\r\n\r\n\r\n\r\nFor additional information about iACLs, see Protecting Your Core: Infrastructure Protection Access Control Lists [\"http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml\"].\r\n\r\nWhile these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.",
            title: "Workarounds",
         },
         {
            category: "general",
            text: "When considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n      Fixed Releases\r\nAt the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.\r\n        Cisco IOS XR Release  First Fixed Release          7.2 and earlier  Not affected      7.3.15, 7.3.16, 7.3.1, and 7.3.2  Not affected      7.3.3  SMU ID: 8000-7.3.3.CSCwb82689 and 7.3.4      7.4   Not affected      7.5.1  Not affected      7.5.2  Not affected      7.6  Not affected\r\nNote: SMU ID: 8000-7.3.3.CSCwb82689 needs to be installed using the following steps; otherwise, the old docker container may still be active and not address this vulnerability.\r\n\r\nInstall SMU ID: 8000-7.3.3.CSCwb82689:\r\n\r\nRP/0/RP0/CPU0:ios#show install active summary\r\nFri Mar  1 05:46:02.751 UTC  Active Packages:    XR: 183    All: 1347  Label:              7.3.3  Software Hash:      fd6561ecb682a5cd3b7fcc31b6606292    Optional Packages                                                        Version  ---------------------------------------------------- ---------------------------  xr-8000-mcast                                                      7.3.3v1.0.0-1  xr-8000-netflow                                                    7.3.3v1.0.0-1  xr-bgp                                                             7.3.3v1.0.0-1  xr-healthcheck                                                     7.3.3v1.0.1-1  xr-ipsla                                                           7.3.3v1.0.0-1  xr-is-is                                                           7.3.3v1.0.0-1  xr-lldp                                                            7.3.3v1.0.0-1  xr-mcast                                                           7.3.3v1.0.0-1  xr-mpls-oam                                                        7.3.3v1.0.0-1  xr-netflow                                                         7.3.3v1.0.0-1  xr-ospf                                                            7.3.3v1.0.0-1  xr-perfmgmt                                                        7.3.3v1.0.0-1  xr-track                                                           7.3.3v1.0.0-1    Active Fixes (count: 1):    CSCwb82689: xr-healthcheck\r\n\r\nNOSi is still running the old container, which exposes the redis port.\r\n\r\n\r\n[node0_RP0_CPU0:~]$docker ps\r\nCONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES  f25f8f89bcc1        nosi:latest         \"docker-entrypoint.s…\"   5 minutes ago       Up 5 minutes                            NOSi  [node0_RP0_CPU0:~]$docker exec -it NOSi ps x    PID TTY      STAT   TIME COMMAND  10ts/0    Sl     0:00 redis-server 0.0.0.0:6379\r\n\r\nStop and remove the old docker container and remove the old docker image:\r\n\r\n[node0_RP0_CPU0:~]$docker ps\r\nCONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES  f25f8f89bcc1        nosi:latest         \"docker-entrypoint.s…\"   7 minutes ago       Up 7 minutes                            NOSi  [node0_RP0_CPU0:~]$docker stop NOSi  NOSi  [node0_RP0_CPU0:~]$docker rm NOSi  NOSi  [node0_RP0_CPU0:~]$docker images  REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE  nosi                latest              1dbc91432c6c        2 years ago         840MB  [node0_RP0_CPU0:~]$docker image rm 1dbc91432c6c  Untagged: nosi:latest  Deleted: sha256:1dbc91432c6cde1c00dabf456b6007649af719ea091b3557a333842cdb458b65  .\r\n.\r\n.  Deleted: sha256:87c8a1d8f54f3aa4e05569e8919397b65056aa71cdf48b7f061432c98475eee9\r\n\r\nRestart processes:\r\n\r\nRP/0/RP0/CPU0:ios#process restart appmgr\r\nRP/0/RP0/CPU0:ios#process restart hcmgr\r\n\r\nThe NOsi container came up with a new image.\r\n\r\n\r\n[node0_RP0_CPU0:~]$docker ps\r\nCONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES  c64285f9f2ef        nosi:latest         \"docker-entrypoint.s…\"   2 seconds ago       Up 1 second                             NOSi  [node0_RP0_CPU0:~]$docker exec -it NOSi ps x  PID TTY      STAT   TIME COMMAND  10 pts/0    Sl     0:00 redis-server *:0\r\n\r\nInstall commit:\r\n\r\nRP/0/RP0/CPU0:8000#install commit\r\nRP/0/RP0/CPU0:8000#\r\n\r\n\r\nThe Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.",
            title: "Fixed Software",
         },
         {
            category: "general",
            text: "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
            title: "Vulnerability Policy",
         },
         {
            category: "general",
            text: "In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability.",
            title: "Exploitation and Public Announcements",
         },
         {
            category: "general",
            text: "This vulnerability was found during the resolution of a Cisco TAC support case.",
            title: "Source",
         },
         {
            category: "legal_disclaimer",
            text: "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
            title: "Legal Disclaimer",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "psirt@cisco.com",
         issuing_authority: "Cisco PSIRT",
         name: "Cisco",
         namespace: "https://wwww.cisco.com",
      },
      references: [
         {
            category: "self",
            summary: "Cisco IOS XR Software Health Check Open Port Vulnerability",
            url: "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK",
         },
         {
            category: "external",
            summary: "Cisco Security Vulnerability Policy",
            url: "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
         },
         {
            category: "external",
            summary: "Protecting Your Core: Infrastructure Protection Access Control Lists",
            url: "http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml",
         },
         {
            category: "external",
            summary: "considering software upgrades",
            url: "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes",
         },
         {
            category: "external",
            summary: "Cisco&nbsp;Security Advisories page",
            url: "https://www.cisco.com/go/psirt",
         },
         {
            category: "external",
            summary: "Security Vulnerability Policy",
            url: "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html",
         },
      ],
      title: "Cisco IOS XR Software Health Check Open Port Vulnerability",
      tracking: {
         current_release_date: "2024-03-15T16:55:47+00:00",
         generator: {
            date: "2024-05-10T23:16:16+00:00",
            engine: {
               name: "TVCE",
            },
         },
         id: "cisco-sa-iosxr-redis-ABJyE5xK",
         initial_release_date: "2022-05-20T16:00:00+00:00",
         revision_history: [
            {
               date: "2022-05-20T16:00:03+00:00",
               number: "1.0.0",
               summary: "Initial public release.",
            },
            {
               date: "2022-06-01T13:59:56+00:00",
               number: "1.1.0",
               summary: "Added SMU to the Fixed Releases section.",
            },
            {
               date: "2024-03-15T16:55:47+00:00",
               number: "1.2.0",
               summary: "Updated workaround information and added directions for installing the SMU.",
            },
         ],
         status: "final",
         version: "1.2.0",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  category: "product_family",
                  name: "Cisco IOS XR Software",
                  product: {
                     name: "Cisco IOS XR Software ",
                     product_id: "CSAFPID-5834",
                  },
               },
            ],
            category: "vendor",
            name: "Cisco",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2022-20821",
         ids: [
            {
               system_name: "Cisco Bug ID",
               text: "CSCwb82689",
            },
         ],
         notes: [
            {
               category: "other",
               text: "Complete.",
               title: "Affected Product Comprehensiveness",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-5834",
            ],
         },
         remediations: [
            {
               category: "vendor_fix",
               details: "Cisco has released software updates that address this vulnerability.",
               product_ids: [
                  "CSAFPID-5834",
               ],
               url: "https://software.cisco.com",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 6.5,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-5834",
               ],
            },
         ],
         title: "Cisco IOS XR Software Healthcheck Open Port Vulnerability",
      },
   ],
}

cisco-sa-iosxr-redis-abjye5xk

Vulnerability from csaf_cisco

Published

2022-05-20 16:00

Modified

2024-03-15 16:55

Summary

Cisco IOS XR Software Health Check Open Port Vulnerability

Notes

Summary

Vulnerable Products

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.

Workarounds

Fixed Software

Vulnerability Policy

Exploitation and Public Announcements

Source

This vulnerability was found during the resolution of a Cisco TAC support case.

Legal Disclaimer

JSON

To clipboard

{
   document: {
      acknowledgments: [
         {
            summary: "This vulnerability was found during the resolution of a Cisco TAC support case.",
         },
      ],
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      notes: [
         {
            category: "summary",
            text: "A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container.\r\n\r\nThis vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.\r\n\r\nCisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.\r\n\r\n",
            title: "Summary",
         },
         {
            category: "general",
            text: "At the time of publication, this vulnerability affected Cisco 8000 Series Routers if they were running a vulnerable release of Cisco IOS XR Software and had the health check RPM installed and active.\r\n\r\nFor information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software [\"#fs\"] section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.\r\n  Determine the Device Configuration\r\nTo determine if the device is in a vulnerable state, issue the run docker ps CLI command. If the output returns a docker container with the name NOSi, as shown in the following example, the device is considered vulnerable:\r\n\r\n\r\nRP/0/RP0/CPU0:8000#run docker ps\r\nWed May 18 04:54:52.502 UTC  CONTAINER ID    IMAGE         COMMAND                 CREATED          STATUS       PORTS  NAMES  54307e434f29    nosi:latest   \"docker-entrypoint.s…\"  9 seconds ago    Up 8 seconds        NOSi  RP/0/RP0/CPU0:8000#",
            title: "Vulnerable Products",
         },
         {
            category: "general",
            text: "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.",
            title: "Products Confirmed Not Vulnerable",
         },
         {
            category: "general",
            text: "There are workarounds that address this vulnerability:\r\n\r\nOption 1: This is the preferred method. Disable health check and explicitly disable the use cases.\r\n\r\nTo effectively disable health check, enter the following commands exactly as shown:\r\n\r\n\r\nRP/0/RP0/CPU0:8000(config)#no healthcheck enable\r\nRP/0/RP0/CPU0:8000(config)#healthcheck use-case asic-reset disable\r\nRP/0/RP0/CPU0:8000(config)#healthcheck use-case packet-drop disable\r\nRP/0/RP0/CPU0:8000(config)#commit\r\nRP/0/RP0/CPU0:8000#\r\n\r\nThen remove the health check RPM from the device:\r\n\r\n\r\nRP/0/RP0/CPU0:8000#install package remove xr-healthcheck\r\nWed May 18 05:00:08.060 UTCInstall remove operation 5.2.2 has started\r\nInstall operation will continue in the background\r\nRP/0/RP0/CPU0:8000#\r\nRP/0/RP0/CPU0:8000#install apply restart\r\nWed May 18 05:01:08.842 UTC\r\nInstall apply operation 5.2 has started\r\nInstall operation will continue in the background\r\nRP/0/RP0/CPU0:8000#\r\nRP/0/RP0/CPU0:8000#show install request\r\nUser request: install apply restart\r\nOperation ID: 7.4\r\nState:        Success since 2024-02-28 14:06:40 UTC\r\nRP/0/RP0/CPU0:8000#install commit\r\nRP/0/RP0/CPU0:8000#\r\n\r\n\r\nOption 2: Use an Infrastructure Access Control List (iACLs) to block port 6379.\r\n\r\nTo protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure attacks, administrators are advised to deploy infrastructure access control lists (iACLs) to perform policy enforcement of traffic sent to infrastructure equipment. Administrators can construct an iACL by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. For the maximum protection of infrastructure devices, deployed iACLs should be applied in the ingress direction on all interfaces to which an IP address has been configured. An iACL workaround cannot provide complete protection against this vulnerability when the attack originates from a trusted source address.\r\n\r\nThe iACL policy denies unauthorized Redis communications packets on TCP port 6379 that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices. Care should be taken to allow required traffic for routing and administrative access before denying all unauthorized traffic. Whenever possible, infrastructure address space should be distinct from the address space used for user and services segments. Using this addressing methodology will assist with the construction and deployment of iACLs.\r\n\r\n\r\n ipv4 access-list Infrastructure-ACL-Policy\r\n !    !-- The following vulnerability-specific access control entries    !-- (ACEs) can drop Redis Database communication packets    !    deny tcp any 192.168.60.0 0.0.0.255 eq 6379   !    !-- Explicit deny ACE for traffic sent to addresses configured    !-- within the infrastructure address space    !    deny ip any 192.168.60.0 0.0.0.255  !   !-- Permit or deny all other Layer 3 and Layer 4 traffic in   !-- accordance with existing security policies and configurations   !   !-- Apply iACL to interfaces in the ingress direction\r\n!  interface GigabitEthernet0/0   ipv4 access-group Infrastructure-ACL-Policy in\r\n\r\n\r\n\r\nFor additional information about iACLs, see Protecting Your Core: Infrastructure Protection Access Control Lists [\"http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml\"].\r\n\r\nWhile these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.",
            title: "Workarounds",
         },
         {
            category: "general",
            text: "When considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n      Fixed Releases\r\nAt the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.\r\n        Cisco IOS XR Release  First Fixed Release          7.2 and earlier  Not affected      7.3.15, 7.3.16, 7.3.1, and 7.3.2  Not affected      7.3.3  SMU ID: 8000-7.3.3.CSCwb82689 and 7.3.4      7.4   Not affected      7.5.1  Not affected      7.5.2  Not affected      7.6  Not affected\r\nNote: SMU ID: 8000-7.3.3.CSCwb82689 needs to be installed using the following steps; otherwise, the old docker container may still be active and not address this vulnerability.\r\n\r\nInstall SMU ID: 8000-7.3.3.CSCwb82689:\r\n\r\nRP/0/RP0/CPU0:ios#show install active summary\r\nFri Mar  1 05:46:02.751 UTC  Active Packages:    XR: 183    All: 1347  Label:              7.3.3  Software Hash:      fd6561ecb682a5cd3b7fcc31b6606292    Optional Packages                                                        Version  ---------------------------------------------------- ---------------------------  xr-8000-mcast                                                      7.3.3v1.0.0-1  xr-8000-netflow                                                    7.3.3v1.0.0-1  xr-bgp                                                             7.3.3v1.0.0-1  xr-healthcheck                                                     7.3.3v1.0.1-1  xr-ipsla                                                           7.3.3v1.0.0-1  xr-is-is                                                           7.3.3v1.0.0-1  xr-lldp                                                            7.3.3v1.0.0-1  xr-mcast                                                           7.3.3v1.0.0-1  xr-mpls-oam                                                        7.3.3v1.0.0-1  xr-netflow                                                         7.3.3v1.0.0-1  xr-ospf                                                            7.3.3v1.0.0-1  xr-perfmgmt                                                        7.3.3v1.0.0-1  xr-track                                                           7.3.3v1.0.0-1    Active Fixes (count: 1):    CSCwb82689: xr-healthcheck\r\n\r\nNOSi is still running the old container, which exposes the redis port.\r\n\r\n\r\n[node0_RP0_CPU0:~]$docker ps\r\nCONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES  f25f8f89bcc1        nosi:latest         \"docker-entrypoint.s…\"   5 minutes ago       Up 5 minutes                            NOSi  [node0_RP0_CPU0:~]$docker exec -it NOSi ps x    PID TTY      STAT   TIME COMMAND  10ts/0    Sl     0:00 redis-server 0.0.0.0:6379\r\n\r\nStop and remove the old docker container and remove the old docker image:\r\n\r\n[node0_RP0_CPU0:~]$docker ps\r\nCONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES  f25f8f89bcc1        nosi:latest         \"docker-entrypoint.s…\"   7 minutes ago       Up 7 minutes                            NOSi  [node0_RP0_CPU0:~]$docker stop NOSi  NOSi  [node0_RP0_CPU0:~]$docker rm NOSi  NOSi  [node0_RP0_CPU0:~]$docker images  REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE  nosi                latest              1dbc91432c6c        2 years ago         840MB  [node0_RP0_CPU0:~]$docker image rm 1dbc91432c6c  Untagged: nosi:latest  Deleted: sha256:1dbc91432c6cde1c00dabf456b6007649af719ea091b3557a333842cdb458b65  .\r\n.\r\n.  Deleted: sha256:87c8a1d8f54f3aa4e05569e8919397b65056aa71cdf48b7f061432c98475eee9\r\n\r\nRestart processes:\r\n\r\nRP/0/RP0/CPU0:ios#process restart appmgr\r\nRP/0/RP0/CPU0:ios#process restart hcmgr\r\n\r\nThe NOsi container came up with a new image.\r\n\r\n\r\n[node0_RP0_CPU0:~]$docker ps\r\nCONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES  c64285f9f2ef        nosi:latest         \"docker-entrypoint.s…\"   2 seconds ago       Up 1 second                             NOSi  [node0_RP0_CPU0:~]$docker exec -it NOSi ps x  PID TTY      STAT   TIME COMMAND  10 pts/0    Sl     0:00 redis-server *:0\r\n\r\nInstall commit:\r\n\r\nRP/0/RP0/CPU0:8000#install commit\r\nRP/0/RP0/CPU0:8000#\r\n\r\n\r\nThe Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.",
            title: "Fixed Software",
         },
         {
            category: "general",
            text: "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
            title: "Vulnerability Policy",
         },
         {
            category: "general",
            text: "In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability.",
            title: "Exploitation and Public Announcements",
         },
         {
            category: "general",
            text: "This vulnerability was found during the resolution of a Cisco TAC support case.",
            title: "Source",
         },
         {
            category: "legal_disclaimer",
            text: "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
            title: "Legal Disclaimer",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "psirt@cisco.com",
         issuing_authority: "Cisco PSIRT",
         name: "Cisco",
         namespace: "https://wwww.cisco.com",
      },
      references: [
         {
            category: "self",
            summary: "Cisco IOS XR Software Health Check Open Port Vulnerability",
            url: "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK",
         },
         {
            category: "external",
            summary: "Cisco Security Vulnerability Policy",
            url: "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
         },
         {
            category: "external",
            summary: "Protecting Your Core: Infrastructure Protection Access Control Lists",
            url: "http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml",
         },
         {
            category: "external",
            summary: "considering software upgrades",
            url: "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes",
         },
         {
            category: "external",
            summary: "Cisco&nbsp;Security Advisories page",
            url: "https://www.cisco.com/go/psirt",
         },
         {
            category: "external",
            summary: "Security Vulnerability Policy",
            url: "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html",
         },
      ],
      title: "Cisco IOS XR Software Health Check Open Port Vulnerability",
      tracking: {
         current_release_date: "2024-03-15T16:55:47+00:00",
         generator: {
            date: "2024-05-10T23:16:16+00:00",
            engine: {
               name: "TVCE",
            },
         },
         id: "cisco-sa-iosxr-redis-ABJyE5xK",
         initial_release_date: "2022-05-20T16:00:00+00:00",
         revision_history: [
            {
               date: "2022-05-20T16:00:03+00:00",
               number: "1.0.0",
               summary: "Initial public release.",
            },
            {
               date: "2022-06-01T13:59:56+00:00",
               number: "1.1.0",
               summary: "Added SMU to the Fixed Releases section.",
            },
            {
               date: "2024-03-15T16:55:47+00:00",
               number: "1.2.0",
               summary: "Updated workaround information and added directions for installing the SMU.",
            },
         ],
         status: "final",
         version: "1.2.0",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  category: "product_family",
                  name: "Cisco IOS XR Software",
                  product: {
                     name: "Cisco IOS XR Software ",
                     product_id: "CSAFPID-5834",
                  },
               },
            ],
            category: "vendor",
            name: "Cisco",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2022-20821",
         ids: [
            {
               system_name: "Cisco Bug ID",
               text: "CSCwb82689",
            },
         ],
         notes: [
            {
               category: "other",
               text: "Complete.",
               title: "Affected Product Comprehensiveness",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-5834",
            ],
         },
         remediations: [
            {
               category: "vendor_fix",
               details: "Cisco has released software updates that address this vulnerability.",
               product_ids: [
                  "CSAFPID-5834",
               ],
               url: "https://software.cisco.com",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 6.5,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "CSAFPID-5834",
               ],
            },
         ],
         title: "Cisco IOS XR Software Healthcheck Open Port Vulnerability",
      },
   ],
}

gsd-2022-20821

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2022-20821

Aliases

CVE-2022-20821

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2022-20821",
      description: "A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.",
      id: "GSD-2022-20821",
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2022-20821",
         ],
         details: "A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.",
         id: "GSD-2022-20821",
         modified: "2023-12-13T01:19:16.960668Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "psirt@cisco.com",
            DATE_PUBLIC: "2022-05-20T23:00:00",
            ID: "CVE-2022-20821",
            STATE: "PUBLIC",
            TITLE: "Cisco IOS XR Software Health Check Open Port Vulnerability",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "Cisco IOS XR Software ",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "n/a",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "Cisco",
                  },
               ],
            },
         },
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.",
               },
            ],
         },
         exploit: [
            {
               lang: "eng",
               value: "In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability. ",
            },
         ],
         impact: {
            cvss: {
               baseScore: "6.5",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N ",
               version: "3.0",
            },
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        lang: "eng",
                        value: "CWE-200",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "20220520 Cisco IOS XR Software Health Check Open Port Vulnerability",
                  refsource: "CISCO",
                  url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK",
               },
            ],
         },
         source: {
            advisory: "cisco-sa-iosxr-redis-ABJyE5xK",
            defect: [
               [
                  "CSCwb82689",
               ],
            ],
            discovery: "INTERNAL",
         },
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [
                     {
                        children: [],
                        cpe_match: [
                           {
                              cpe23Uri: "cpe:2.3:o:cisco:ios_xr:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: true,
                           },
                        ],
                        operator: "OR",
                     },
                     {
                        children: [],
                        cpe_match: [
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_1002:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_1004:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_1001:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs-55a2-mod-s:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs-55a2-mod-hd-s:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs-55a2-mod-hx-s:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs-55a2-mod-se-s:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs-55a2-mod-se-h-s:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs-55a1-24h:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs-55a1-36h-s:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:8201:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:8202:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:8208:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:8212:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:8218:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs-55a1-24q6h-s:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs-55a1-36h-se:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs-55a1-36h-se-s:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_5001:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_5002:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_5501-se:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_5502-se:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_5504:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_5508:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_5516:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_55a1:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                           {
                              cpe23Uri: "cpe:2.3:h:cisco:ncs_55a2:-:*:*:*:*:*:*:*",
                              cpe_name: [],
                              vulnerable: false,
                           },
                        ],
                        operator: "OR",
                     },
                  ],
                  cpe_match: [],
                  operator: "AND",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "psirt@cisco.com",
               ID: "CVE-2022-20821",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-200",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "20220520 Cisco IOS XR Software Health Check Open Port Vulnerability",
                     refsource: "CISCO",
                     tags: [
                        "Vendor Advisory",
                     ],
                     url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK",
                  },
               ],
            },
         },
         impact: {
            baseMetricV2: {
               acInsufInfo: false,
               cvssV2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 6.4,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N",
                  version: "2.0",
               },
               exploitabilityScore: 10,
               impactScore: 4.9,
               obtainAllPrivilege: false,
               obtainOtherPrivilege: false,
               obtainUserPrivilege: false,
               severity: "MEDIUM",
               userInteractionRequired: false,
            },
            baseMetricV3: {
               cvssV3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.5,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  version: "3.1",
               },
               exploitabilityScore: 3.9,
               impactScore: 2.5,
            },
         },
         lastModifiedDate: "2022-06-07T16:51Z",
         publishedDate: "2022-05-26T14:15Z",
      },
   },
}

fkie_cve-2022-20821

Vulnerability from fkie_nvd

Published

2022-05-26 14:15

Modified

2025-02-24 15:24

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

References

▼	URL	Tags
	psirt@cisco.com	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK	Vendor Advisory

Impacted products

Vendor	Product	Version
cisco	ios_xr	-
cisco	8201	-
cisco	8202	-
cisco	8208	-
cisco	8212	-
cisco	8218	-
cisco	ncs-55a1-24h	-
cisco	ncs-55a1-24q6h-s	-
cisco	ncs-55a1-36h-s	-
cisco	ncs-55a1-36h-se	-
cisco	ncs-55a1-36h-se-s	-
cisco	ncs-55a2-mod-hd-s	-
cisco	ncs-55a2-mod-hx-s	-
cisco	ncs-55a2-mod-s	-
cisco	ncs-55a2-mod-se-h-s	-
cisco	ncs-55a2-mod-se-s	-
cisco	ncs_1001	-
cisco	ncs_1002	-
cisco	ncs_1004	-
cisco	ncs_5001	-
cisco	ncs_5002	-
cisco	ncs_5501-se	-
cisco	ncs_5502-se	-
cisco	ncs_5504	-
cisco	ncs_5508	-
cisco	ncs_5516	-
cisco	ncs_55a1	-
cisco	ncs_55a2	-

JSON

To clipboard

{
   cisaActionDue: "2022-06-13",
   cisaExploitAdd: "2022-05-23",
   cisaRequiredAction: "Apply updates per vendor instructions.",
   cisaVulnerabilityName: "Cisco IOS XR Open Port Vulnerability",
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:cisco:ios_xr:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "92587AA0-BDB6-4594-8F14-DC2A91FA4CD6",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:cisco:8201:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "3D8E7FFF-82A8-4ECB-BA0C-CBF0C2FDA3A3",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:8202:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "87DC4C2F-01C5-4D89-8D79-E5D28EDAD0F2",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:8208:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "A34DAD43-0C95-4830-8078-EFE3E6C0A930",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:8212:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "46F5CBF0-7F55-44C0-B321-896BDBA22679",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:8218:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "D381E343-416F-42AF-A780-D330954F238F",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs-55a1-24h:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "D8D61548-61B4-4B53-8574-9DB92B00A627",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs-55a1-24q6h-s:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "74C8E3C6-282B-4394-A077-DF8694F7E55D",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs-55a1-36h-s:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "4FF08FAF-67DD-4361-947A-40D5938DB8BA",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs-55a1-36h-se:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "1CE2AD36-5D52-4489-AAC1-A7AC1B3D2581",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs-55a1-36h-se-s:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "14E948CF-9891-4AC8-8734-9C121B611722",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs-55a2-mod-hd-s:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "A95FEA95-703B-44E0-A7CA-9E38B2EB1980",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs-55a2-mod-hx-s:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2D37BF94-9D5F-4A88-8115-3A88FF144845",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs-55a2-mod-s:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "C33F0D81-1314-440B-9FC2-56D76CA4CD79",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs-55a2-mod-se-h-s:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "8E50806D-115D-4903-A5B2-62654FFDD9F5",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs-55a2-mod-se-s:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "15AE071E-0CEF-4305-A92D-9F4C324BD4ED",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_1001:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "0F6E0FBE-70B7-413C-8943-39BEFE050298",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_1002:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "37AE5FB0-D9A6-4EBE-9F7F-243299AE918B",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_1004:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "60C9AAF8-4C5B-4EF5-B575-8235F3C54BCC",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_5001:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "E2A8C028-107B-4410-BCC6-5BCB8DB63603",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_5002:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "DA13FE67-F4AE-46DF-921B-3FB91BDF742B",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_5501-se:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "1B254955-C485-45D7-A19B-E78CE1D997AD",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_5502-se:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "50C7B71A-2559-4E90-BAAA-C6FAAFE35FC3",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_5504:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "6AC4E089-296D-4C19-BF21-DDF2501DD77C",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_5508:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "43D21B01-A754-474F-8E46-14D733AB307E",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_5516:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "17D6424C-972F-459C-B8F7-04FFD9F541BC",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_55a1:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "B51897CC-4FBF-4C99-BB69-2C528E392FE7",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:cisco:ncs_55a2:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "63ED034E-5A46-44A8-9101-8ACD6D334FF5",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.",
      },
      {
         lang: "es",
         value: "Una vulnerabilidad en el RPM de comprobación de salud del software Cisco IOS XR podría permitir a un atacante remoto no autenticado acceder a la instancia de Redis que es ejecutado dentro del contenedor NOSi. Esta vulnerabilidad se presenta porque el RPM de comprobación de salud abre el puerto TCP 6379 por defecto al activarse. Un atacante podría explotar esta vulnerabilidad al conectarse a la instancia de Redis en el puerto abierto. Una explotación con éxito podría permitir al atacante escribir en la base de datos en memoria de Redis, escribir archivos arbitrarios en el sistema de archivos del contenedor y recuperar información sobre la base de datos de Redis. Dada la configuración del contenedor con sandbox en el que es ejecutada la instancia de Redis, un atacante remoto no podría ejecutar código remoto ni abusar de la integridad del sistema anfitrión del software Cisco IOS XR",
      },
   ],
   id: "CVE-2022-20821",
   lastModified: "2025-02-24T15:24:27.177",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 6.4,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 4.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 2.5,
            source: "psirt@cisco.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 2.5,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2022-05-26T14:15:08.123",
   references: [
      {
         source: "psirt@cisco.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK",
      },
   ],
   sourceIdentifier: "psirt@cisco.com",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-200",
            },
         ],
         source: "psirt@cisco.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "NVD-CWE-noinfo",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-20821

Vulnerability from cvelistv5

CISA Known exploited vulnerability

Data from the Known Exploited Vulnerabilities Catalog

ghsa-6whc-cmc9-99q6

Vulnerability from github

cisco-sa-iosxr-redis-ABJyE5xK

Vulnerability from csaf_cisco

cisco-sa-iosxr-redis-abjye5xk

Vulnerability from csaf_cisco

gsd-2022-20821

Vulnerability from gsd

fkie_cve-2022-20821

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature