hey all,

a recent publication from cisco PSIRT went out regarding a vulnerability in the ASR9000 that was taken over by various news sites.

since our team was directly involved with the detection of this item I wanted to share a few more details as I feel that the announcements and publications make it seem more severe then it really needs to be.

the issue surrounds the ability to crash the management plane through the secondary mgmt interface of the asr9000.

The asr9000 RSP has 2 mgmt interfaces, 0 and 1. in classic XR they are both bound to the XR control plane. in evolved XR (64 bit) port 0 is bound to the XR control plane, the second interface "1" is bound to the admin plane.

It is very important to call out that this situation is confined to 64bit eXR only for the ASR9000, it doesnt apply to classic 32bit XR nor any other platform for that matter.

Also it is not very common to have the secondary mgmt ethernet configured or in use.

In addition to that, if it is configured and in use, it is not likely to be exposed to the internet.

Finally the mgmt interfaces are not routed, that is, fabric doesnt have access to these interfaces, nor do the mgmt interfaces have an ability to inject packets into the fabric.

I just wanted to give a bit more context to the item described and published that yes we do acknowledge it is an issue, but realistically the exposure to it is limited based on the criterias mentioned above.

hopefully it helps putting some context around the "scare" that may have been raised!!

reach out if you need more clarification!

cheers!!

xander

----

Xander Thuijs CCIE6775

Distinguished Engineer Cisco SP Routing