What You Need to Know About Cisco's Latest Router Patch

    Not so long ago, the IT giant announced a critical vulnerability in the ASR 9000 system. Under the cut, we tell you what the essence of the bug is and how to patch it. Photo - ulleo - PD The vulnerability was found in ASR 9000 series routers running 64-bit IOS XR. This is a high-end equipment for data centers of telecommunication companies and mobile operators, which has a capacity of 400 Gbit / s per slot and supports 40G / 80G line cards.

    Vulnerabilities assigned identifier CVE-2019-1710 . She scored 9.8 out of 10 on a CVSS scale.

    This standard was developed by a group of information security experts from companies such as Microsoft, Cisco, CERT, IBM to assess the danger of bugs.

    Why is she dangerous

    The bug gives attackers the opportunity to gain unauthorized access to system applications on the administrator’s virtual machine. Hackers can remotely execute malicious code and conduct DoS attacks. According to Cisco engineers, the problem is that the secondary management interface (MGT LAN 1 on the route switch processor - RSP) is not properly isolated from the internal administrator applications. An attacker can exploit the vulnerability by connecting to one of them.

    To determine if there is a problem on your system, you need to log in to the sysadmin virtual machine and enter the show interface command in the console. If the secondary interface is connected (as in the answer below), then the router is vulnerable.

    sysadmin-vm:0_RSP1:eXR# show interface
    Tue Mar  19 19:32:00.839 UTC
    MgmtEth0/RSP1/0/0  Link encap: Ethernet  HWaddr 08:96:ad:22:7a:31
      inet  addr:
      RX packets:      14093 errors:0 dropped:1 overruns:0   frame:0
      TX packets:         49 errors:0 dropped:0 overruns:0 carrier:0
                             collisions:0 txqueuelen:1000
      RX bytes:                867463  TX bytes:                  6889

    Cisco experts say that only the ASR 9000 platform is vulnerable. Other company solutions running Cisco IOS-XR 64 bit are stable. At the same time, the company has not yet recorded attempts to conduct a hacker attack using CVE-2019-1710.

    How to close it

    Cisco has published a patch that fixes CVE-2019-1710 as part of IOS XR versions 6.5.3 and 7.0.1. The update is available free of charge for all organizations with an up-to-date license for the operating system (and those who bought it earlier).

    There is an alternative option - you can resort to a workaround that completely eliminates the vulnerability. First you need to connect to the admin virtual machine:

    Tue Mar 12 22:46:37.110 UTC
    root connected from using console on host

    Then run Bash and edit the calvados_bootstrap.cfg configuration file:

    sysadmin-vm:0_RSP1:eXR# run bash
    Tue Mar 12 22:46:44.224 UTC
    bash-4.3# vi /etc/init.d/calvados_bootstrap.cfg

    In the next two lines you need to remove the # sign and save the file.


    If the solution has two RSP systems, then # must be removed in the configuration of each of them. Then just restart the virtual machine:

    sysadmin-vm:0_RSP1:eXR# reload admin location 0/RSP1
    Tue Mar 12 22:49:28.589 UTC
    Reload node ? [no,yes] yes
    result Admin VM graceful reload request on 0/RSP1 succeeded.
    sysadmin-vm:0_RSP1:eXR# RP/0/RSP1/CPU0:Mar 12 22:49:34.059 UTC: rmf_svr[402]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :RP-RED-LOST-ADMINNR :DECLARE :0/RSP1/CPU0:
    Confd is down

    She will have to return the following message:

    RP/0/RSP1/CPU0:eXR#0/RSP1/ADMIN0:Mar 12 22:59:30.220 UTC: envmon[3680]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :Power Module redundancy lost :DECLARE :0:
    RP/0/RSP1/CPU0:Mar 12 22:59:33.708 UTC: rmf_svr[402]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :RP-RED-LOST-ADMINNR :CLEAR :0/RSP1/CPU0:

    What else patched

    In parallel with the patch for CVE-2019-1710, the IT giant has released twenty more patches for less critical vulnerabilities. It included six bugs in the IAPP (Inter-Access Point Protocol), as well as in the interface WLC (Wireless LAN Controller) and Cisco VCS Expressway.

    The list of products with patches includes: UCS B-Series Blade Servers, Cisco Umbrella, DNA Center, Registered Envelope Service, Directory Connector, Prime Network Registrar, etc. A full list can be found on the official website .

    Photos - Mel Clark - PD

    Also in early May, the developers of the corporation closedanother vulnerability in ASR 9000 and Cisco IOS XR. It is associated with the PIM (Protocol Independent Multicast) function, which solves the problem of multicast routing. A bug (it received the identifier CVE-2019-1712 ) allows an attacker to remotely restart a PIM process and conduct a DoS attack.

    In addition, the developers have published a series of warnings regarding previously fixed vulnerabilities. Some of them, according to information security experts, use the Sea Turtle hacker group for their DNS attacks. Engineers promised to monitor the situation and publish fresh updates.

    ITGLOBAL.COM  is a provider of private and hybrid clouds, as well as other services aimed at developing the IT infrastructure of our customers. What we write about in a corporate blog:

    Also popular now: