Cisco has fixed a zero-day vulnerability in its IOS XR routers that allows unauthorized attackers to remotely access Redis installations running in NOSi Docker containers.
There are many Cisco routers running the IOS XR operating system, including devices of the NCS 540 and 560 series, NCS 5500, 8000 and ASR 9000.
Vulnerability CVE-2022-20821 exists due to the fact that during activation, the RPM check opens TCP port 6379 by default. An attacker can exploit it by connecting to a Redis installation on an open port, which will allow him to write data to memory, write arbitrary files to the container’s file system and extract information about the Redis database.
Fortunately, even if an attacker successfully exploits the vulnerability, he will still not be able to remotely execute code or compromise the integrity of the host system, since Redis installations run in the sandbox.
Although the problem affects only Cisco 8000 series routers with RPM verification installed and enabled, the manufacturer encourages users to install fixes or take security measures on installations with vulnerable software.
Earlier this month, Cisco became aware of the exploitation of this vulnerability in real hacker attacks.
If immediate patch installation is not possible, administrators are advised to disable RPM checking on vulnerable devices. In order to determine whether the device is vulnerable or not, you need to run the docker ps command and check the NOSi container.
Administrators can also use the Infrastructure Access Control List (iACLs) to block port 6379, which hackers can use to access Redis installations.