What you need to know about the latest Cisco patch for routers
Not so long ago, the IT giant announced a critical vulnerability in the ASR 9000 system. Under the cut, we tell you what the bug is and how to patch it.
Photo - ulleo - PD
Vulnerability found in the ASR 9000 series routers running 64-bit IOS XR. This is a high-end class equipment for data centers of telecommunications companies and mobile operators, which has a capacity of 400 Gbit / s per slot and supports 40G / 80G line cards.
')
This standard was developed by a group of information security specialists from companies such as Microsoft, Cisco, CERT, IBM to assess the danger of bugs.
The bug gives attackers the opportunity to gain unauthorized access to system applications on the admin virtual machine. Hackers can remotely execute malicious code and conduct DoS attacks. According to Cisco engineers, the problem is the inappropriate isolation of the secondary management interface (MGT LAN 1 on the route switch processor - RSP) from the internal administrator applications. An attacker can exploit a vulnerability by connecting to one of them.
To determine if there is a problem on your system, you need to log in to the sysadmin virtual machine and enter the show interface command in the console. If the secondary interface is connected (as in the answer below), then the router is vulnerable.
Cisco specialists say that only the ASR 9000 platform is vulnerable. Other solutions of the company running Cisco IOS-XR 64 bit are stable. In this case, the company has not yet recorded attempts to conduct a hacker attack using CVE-2019-1710.
Cisco experts have published a patch that fixes CVE-2019-1710 as part of IOS XR versions 6.5.3 and 7.0.1. The update is available free of charge for all organizations with the current license for the operating system (and those who bought it earlier).
There is also an alternative option - you can resort to a workaround, which completely eliminates the vulnerability. First you need to connect to the admin virtual machine:
Then run Bash and edit the calvados_bootstrap.cfg configuration file:
The next two lines need to remove the # sign and save the file.
If the solution has two RSP systems, then you need to remove # in the configuration of each of them. Then, just restart the virtual machine:
She will have to return the following message:
In parallel with the patch for CVE-2019-1710, the IT giant released twenty more “patches” for less critical vulnerabilities. There are six bugs in the IAPP (Inter-Access Point Protocol) protocol, as well as in the WLC interface (Wireless LAN Controller) and Cisco VCS Expressway.
The list of products with patches includes: UCS B-Series Blade Servers, Cisco Umbrella, DNA Center, Registered Envelope Service, Directory Connector, Prime Network Registrar, etc. The full list can be found on the official website .
Photo - Mel Clark - PD
Also in early May, the developers of the corporation have closed another ASR 9000 and Cisco IOS XR vulnerability. It is associated with the PIM (Protocol Independent Multicast) function, which solves the problem of multicast routing. The bug (it received the identifier CVE-2019-1712 ) allows an attacker to remotely restart the PIM process and conduct a DoS attack.
In addition, the developers have published a series of warnings regarding previously fixed vulnerabilities. Some of them, according to information security experts, are employed by the hacker group Sea Turtle for their DNS attacks. Engineers promised to monitor the situation and publish fresh updates.
ITGLOBAL.COM - provider of private and hybrid cloud, as well as other services aimed at the development of the IT infrastructure of our customers. What we write about in the corporate blog:
Photo - ulleo - PD
Vulnerability found in the ASR 9000 series routers running 64-bit IOS XR. This is a high-end class equipment for data centers of telecommunications companies and mobile operators, which has a capacity of 400 Gbit / s per slot and supports 40G / 80G line cards.
')
Vulnerabilities assigned ID CVE-2019-1710 . She scored 9.8 points out of 10 on the CVSS scale.
This standard was developed by a group of information security specialists from companies such as Microsoft, Cisco, CERT, IBM to assess the danger of bugs.
Why is she dangerous
The bug gives attackers the opportunity to gain unauthorized access to system applications on the admin virtual machine. Hackers can remotely execute malicious code and conduct DoS attacks. According to Cisco engineers, the problem is the inappropriate isolation of the secondary management interface (MGT LAN 1 on the route switch processor - RSP) from the internal administrator applications. An attacker can exploit a vulnerability by connecting to one of them.
To determine if there is a problem on your system, you need to log in to the sysadmin virtual machine and enter the show interface command in the console. If the secondary interface is connected (as in the answer below), then the router is vulnerable.
sysadmin-vm:0_RSP1:eXR# show interface Tue Mar 19 19:32:00.839 UTC MgmtEth0/RSP1/0/0 Link encap: Ethernet HWaddr 08:96:ad:22:7a:31 inet addr: 192.168.0.1 UP RUNNING BROADCAST MULTICAST MTU:1500 Metric:1 RX packets: 14093 errors:0 dropped:1 overruns:0 frame:0 TX packets: 49 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes: 867463 TX bytes: 6889 sysadmin-vm:0_RSP1:eXR# Cisco specialists say that only the ASR 9000 platform is vulnerable. Other solutions of the company running Cisco IOS-XR 64 bit are stable. In this case, the company has not yet recorded attempts to conduct a hacker attack using CVE-2019-1710.
How to close it
Cisco experts have published a patch that fixes CVE-2019-1710 as part of IOS XR versions 6.5.3 and 7.0.1. The update is available free of charge for all organizations with the current license for the operating system (and those who bought it earlier).
There is also an alternative option - you can resort to a workaround, which completely eliminates the vulnerability. First you need to connect to the admin virtual machine:
RP/0/RSP1/CPU0:eXR#admin Tue Mar 12 22:46:37.110 UTC root connected from 127.0.0.1 using console on host Then run Bash and edit the calvados_bootstrap.cfg configuration file:
sysadmin-vm:0_RSP1:eXR# run bash Tue Mar 12 22:46:44.224 UTC bash-4.3# vi /etc/init.d/calvados_bootstrap.cfg The next two lines need to remove the # sign and save the file.
#CTRL_VRF=0 #MGMT_VRF=2 If the solution has two RSP systems, then you need to remove # in the configuration of each of them. Then, just restart the virtual machine:
sysadmin-vm:0_RSP1:eXR# reload admin location 0/RSP1 Tue Mar 12 22:49:28.589 UTC Reload node ? [no,yes] yes result Admin VM graceful reload request on 0/RSP1 succeeded. sysadmin-vm:0_RSP1:eXR# RP/0/RSP1/CPU0:Mar 12 22:49:34.059 UTC: rmf_svr[402]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :RP-RED-LOST-ADMINNR :DECLARE :0/RSP1/CPU0: Confd is down RP/0/RSP1/CPU0:eXR# She will have to return the following message:
RP/0/RSP1/CPU0:eXR#0/RSP1/ADMIN0:Mar 12 22:59:30.220 UTC: envmon[3680]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :Power Module redundancy lost :DECLARE :0: RP/0/RSP1/CPU0:Mar 12 22:59:33.708 UTC: rmf_svr[402]: %PKT_INFRA-FM-3-FAULT_MAJOR : ALARM_MAJOR :RP-RED-LOST-ADMINNR :CLEAR :0/RSP1/CPU0: What else patch
In parallel with the patch for CVE-2019-1710, the IT giant released twenty more “patches” for less critical vulnerabilities. There are six bugs in the IAPP (Inter-Access Point Protocol) protocol, as well as in the WLC interface (Wireless LAN Controller) and Cisco VCS Expressway.
The list of products with patches includes: UCS B-Series Blade Servers, Cisco Umbrella, DNA Center, Registered Envelope Service, Directory Connector, Prime Network Registrar, etc. The full list can be found on the official website .
Photo - Mel Clark - PD
Also in early May, the developers of the corporation have closed another ASR 9000 and Cisco IOS XR vulnerability. It is associated with the PIM (Protocol Independent Multicast) function, which solves the problem of multicast routing. The bug (it received the identifier CVE-2019-1712 ) allows an attacker to remotely restart the PIM process and conduct a DoS attack.
In addition, the developers have published a series of warnings regarding previously fixed vulnerabilities. Some of them, according to information security experts, are employed by the hacker group Sea Turtle for their DNS attacks. Engineers promised to monitor the situation and publish fresh updates.
ITGLOBAL.COM - provider of private and hybrid cloud, as well as other services aimed at the development of the IT infrastructure of our customers. What we write about in the corporate blog:
- How to protect businesses from ransomware Trojans
- Why should a cloud provider client know about the reliability of a data center?
- Vitaly Gritsay: on the strategy of international development ITGLOBAL.COM
- How to protect against DDoS in the provider cloud
- NetApp AFF A300 DSS: Specifications and Inside View
Source: https://habr.com/ru/post/454472/
All Articles