June 2, 2019 at 13:12What You Need to Know About Cisco's Latest Router Patch
Not so long ago, the IT giant announced a critical vulnerability in the ASR 9000 system. Under the cut, we tell you what the essence of the bug is and how to patch it. Photo - ulleo - PD The
vulnerability was found in ASR 9000 series routers running 64-bit IOS XR. This is a high-end equipment for data centers of telecommunication companies and mobile operators, which has a capacity of 400 Gbit / s per slot and supports 40G / 80G line cards.
This standard was developed by a group of information security experts from companies such as Microsoft, Cisco, CERT, IBM to assess the danger of bugs.
The bug gives attackers the opportunity to gain unauthorized access to system applications on the administrator’s virtual machine. Hackers can remotely execute malicious code and conduct DoS attacks. According to Cisco engineers, the problem is that the secondary management interface (MGT LAN 1 on the route switch processor - RSP) is not properly isolated from the internal administrator applications. An attacker can exploit the vulnerability by connecting to one of them.
To determine if there is a problem on your system, you need to log in to the sysadmin virtual machine and enter the show interface command in the console. If the secondary interface is connected (as in the answer below), then the router is vulnerable.
Cisco experts say that only the ASR 9000 platform is vulnerable. Other company solutions running Cisco IOS-XR 64 bit are stable. At the same time, the company has not yet recorded attempts to conduct a hacker attack using CVE-2019-1710.
Cisco has published a patch that fixes CVE-2019-1710 as part of IOS XR versions 6.5.3 and 7.0.1. The update is available free of charge for all organizations with an up-to-date license for the operating system (and those who bought it earlier).
There is an alternative option - you can resort to a workaround that completely eliminates the vulnerability. First you need to connect to the admin virtual machine:
Then run Bash and edit the calvados_bootstrap.cfg configuration file:
In the next two lines you need to remove the # sign and save the file.
If the solution has two RSP systems, then # must be removed in the configuration of each of them. Then just restart the virtual machine:
She will have to return the following message:
In parallel with the patch for CVE-2019-1710, the IT giant has released twenty more patches for less critical vulnerabilities. It included six bugs in the IAPP (Inter-Access Point Protocol), as well as in the interface WLC (Wireless LAN Controller) and Cisco VCS Expressway.
The list of products with patches includes: UCS B-Series Blade Servers, Cisco Umbrella, DNA Center, Registered Envelope Service, Directory Connector, Prime Network Registrar, etc. A full list can be found on the official website .
Photos - Mel Clark - PD
Also in early May, the developers of the corporation closedanother vulnerability in ASR 9000 and Cisco IOS XR. It is associated with the PIM (Protocol Independent Multicast) function, which solves the problem of multicast routing. A bug (it received the identifier CVE-2019-1712 ) allows an attacker to remotely restart a PIM process and conduct a DoS attack.
In addition, the developers have published a series of warnings regarding previously fixed vulnerabilities. Some of them, according to information security experts, use the Sea Turtle hacker group for their DNS attacks. Engineers promised to monitor the situation and publish fresh updates.
ITGLOBAL.COM is a provider of private and hybrid clouds, as well as other services aimed at developing the IT infrastructure of our customers. What we write about in a corporate blog:
Vulnerabilities assigned identifier CVE-2019-1710 . She scored 9.8 out of 10 on a CVSS scale.
This standard was developed by a group of information security experts from companies such as Microsoft, Cisco, CERT, IBM to assess the danger of bugs.
Why is she dangerous
The bug gives attackers the opportunity to gain unauthorized access to system applications on the administrator’s virtual machine. Hackers can remotely execute malicious code and conduct DoS attacks. According to Cisco engineers, the problem is that the secondary management interface (MGT LAN 1 on the route switch processor - RSP) is not properly isolated from the internal administrator applications. An attacker can exploit the vulnerability by connecting to one of them.
To determine if there is a problem on your system, you need to log in to the sysadmin virtual machine and enter the show interface command in the console. If the secondary interface is connected (as in the answer below), then the router is vulnerable.
sysadmin-vm:0_RSP1:eXR# show interface
Tue Mar 19 19:32:00.839 UTC
MgmtEth0/RSP1/0/0 Link encap: Ethernet HWaddr 08:96:ad:22:7a:31
inet addr: 192.168.0.1
UP RUNNING BROADCAST MULTICAST MTU:1500 Metric:1
RX packets: 14093 errors:0 dropped:1 overruns:0 frame:0
TX packets: 49 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes: 867463 TX bytes: 6889
sysadmin-vm:0_RSP1:eXR#
Cisco experts say that only the ASR 9000 platform is vulnerable. Other company solutions running Cisco IOS-XR 64 bit are stable. At the same time, the company has not yet recorded attempts to conduct a hacker attack using CVE-2019-1710.
How to close it
Cisco has published a patch that fixes CVE-2019-1710 as part of IOS XR versions 6.5.3 and 7.0.1. The update is available free of charge for all organizations with an up-to-date license for the operating system (and those who bought it earlier).
There is an alternative option - you can resort to a workaround that completely eliminates the vulnerability. First you need to connect to the admin virtual machine:
RP/0/RSP1/CPU0:eXR#admin
Tue Mar 12 22:46:37.110 UTC
root connected from 127.0.0.1 using console on host
Then run Bash and edit the calvados_bootstrap.cfg configuration file:
sysadmin-vm:0_RSP1:eXR# run bash
Tue Mar 12 22:46:44.224 UTC
bash-4.3# vi /etc/init.d/calvados_bootstrap.cfg
In the next two lines you need to remove the # sign and save the file.
#CTRL_VRF=0
#MGMT_VRF=2
If the solution has two RSP systems, then # must be removed in the configuration of each of them. Then just restart the virtual machine:
sysadmin-vm:0_RSP1:eXR# reload admin location 0/RSP1
Tue Mar 12 22:49:28.589 UTC
Reload node ? [no,yes] yes
result Admin VM graceful reload request on 0/RSP1 succeeded.
sysadmin-vm:0_RSP1:eXR# RP/0/RSP1/CPU0:Mar 12 22:49:34.059 UTC: rmf_svr[402]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :RP-RED-LOST-ADMINNR :DECLARE :0/RSP1/CPU0:
Confd is down
RP/0/RSP1/CPU0:eXR#
She will have to return the following message:
RP/0/RSP1/CPU0:eXR#0/RSP1/ADMIN0:Mar 12 22:59:30.220 UTC: envmon[3680]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :Power Module redundancy lost :DECLARE :0:
RP/0/RSP1/CPU0:Mar 12 22:59:33.708 UTC: rmf_svr[402]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :RP-RED-LOST-ADMINNR :CLEAR :0/RSP1/CPU0:
What else patched
In parallel with the patch for CVE-2019-1710, the IT giant has released twenty more patches for less critical vulnerabilities. It included six bugs in the IAPP (Inter-Access Point Protocol), as well as in the interface WLC (Wireless LAN Controller) and Cisco VCS Expressway.
The list of products with patches includes: UCS B-Series Blade Servers, Cisco Umbrella, DNA Center, Registered Envelope Service, Directory Connector, Prime Network Registrar, etc. A full list can be found on the official website .
Photos - Mel Clark - PD
Also in early May, the developers of the corporation closedanother vulnerability in ASR 9000 and Cisco IOS XR. It is associated with the PIM (Protocol Independent Multicast) function, which solves the problem of multicast routing. A bug (it received the identifier CVE-2019-1712 ) allows an attacker to remotely restart a PIM process and conduct a DoS attack.
In addition, the developers have published a series of warnings regarding previously fixed vulnerabilities. Some of them, according to information security experts, use the Sea Turtle hacker group for their DNS attacks. Engineers promised to monitor the situation and publish fresh updates.
ITGLOBAL.COM is a provider of private and hybrid clouds, as well as other services aimed at developing the IT infrastructure of our customers. What we write about in a corporate blog:
- How to protect your business from ransomware trojans
- Why should a cloud provider client know the level of data center reliability
- Vitaliy Gritsay: on the international development strategy ITGLOBAL.COM
- How to protect against DDoS in the cloud provider
- NetApp AFF A300 Storage: Technical Specifications and Inside View