Cisco published a security advisory informing users that there is a software update available that addresses a vulnerability found in the health check RPM of Cisco IOS XR Software. The vulnerability, tracked as CVE-2022-20821, allows an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. The attacker can not execute remote code or abuse the integrity of the host system, thus the vulnerability has a CVSS score of 6.5.
Health check RPM
Cisco stated that the flaw exists because the health check RPM opens TCP port 6379 by default upon activation. By exploiting the vulnerability by connecting to the Redis instance on the open port an attacker can write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Cisco stated that there are also workarounds available to address the vulnerability.
| Cisco IOS XR Release | First Fixed Release |
|---|---|
| 7.2 and earlier | Not affected |
| 7.3.15, 7.3.16, 7.3.1, and 7.3.2 | Not affected |
| 7.3.3 | 7.3.4 |
| 7.4 | Not affected |
| 7.5.1 | Not affected |
| 7.5.2 | Not affected |
| 7.6 | Not affected |
The vulnerability affects Cisco 8000 Series Routers if they were running a vulnerable release of Cisco IOS XR Software and had the health check RPM installed and active. Users can issue the “run docker ps” CLI command to determine if the device is in a vulnerable state. If the output returns a docker container with the name NOSi, the device is considered vulnerable.