Cisco fixes an IOS XR flaw actively exploited in the wild

Pierluigi Paganini May 21, 2022

Cisco addressed a medium-severity vulnerability affecting IOS XR Software, the company warns that the flaw is actively exploited in the wild.

Cisco released security updates to address a medium-severity vulnerability affecting IOS XR Software, tracked as CVE-2022-20821 (CVSS score: 6.5), that threat actors are actively exploiting in attacks in the wild.

The flaw resides in the health check RPM of Cisco IOS XR Software, an unauthenticated, remote attacker could trigger the issue to access the Redis instance that is running within the NOSi container.

“This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database.” reads the security advisory published by Cisco. “Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.”

The vulnerability impacts Cisco 8000 Series routers with the health check RPM installed and active.

Users can determine if the device is vulnerable, users can issue the run docker ps CLI command. The device is vulnerable if the output returns a docker container with the name NOSi like the following example:

Cisco IOS XR flaw

Below are the workarounds that address this vulnerability:

  • Option 1: This is the preferred method. Disable health check and explicitly disable the use cases.
  • Option 2: Use an Infrastructure Access Control List (iACLs) to block port 6379.

“In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability.” concludes the advisory.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco IOS XR)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment