CVE-2022-20821
Published: 26 May 2022
Summary
CVE-2022-20821 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Cisco Ios Xr. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
A vulnerability in the health check RPM of Cisco IOS XR Software allows unauthenticated remote access to a Redis instance running inside the NOSi container. The issue stems from the RPM opening TCP port 6379 by default when activated, exposing the database without authentication controls. The affected component is therefore the health-check functionality within IOS XR rather than the core routing stack.
An unauthenticated remote attacker can connect directly to the exposed Redis port and perform write operations against the in-memory database, write arbitrary files inside the container filesystem, or enumerate database metadata. Because the container is sandboxed, these actions do not extend to remote-code execution or compromise of the underlying IOS XR host.
Cisco’s security advisory at tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK details mitigation steps, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog.
EPSS scores rose from low values to a peak of 0.2041 before receding to the current 0.0884, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-26071
Vulnerability details
A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP…
more
port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.
- CWE(s)
- KEV Date Added
- 23 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization requirements before allowing any connection to the Redis TCP port 6379.
Restricts external network traffic to the container's exposed Redis port and prevents the default open-port behavior from reaching attackers.
Disables or removes non-essential services such as the health-check RPM that opens unauthenticated ports by default.