a recent publication from cisco PSIRT went out regarding a vulnerability in the ASR9000 that was taken over by various news sites.
since our team was directly involved with the detection of this item I wanted to share a few more details as I feel that the announcements and publications make it seem more severe then it really needs to be.
the issue surrounds the ability to crash the management plane through the secondary mgmt interface of the asr9000.
The asr9000 RSP has 2 mgmt interfaces, 0 and 1. in classic XR they are both bound to the XR control plane. in evolved XR (64 bit) port 0 is bound to the XR control plane, the second interface "1" is bound to the admin plane.
It is very important to call out that this situation is confined to 64bit eXR only for the ASR9000, it doesnt apply to classic 32bit XR nor any other platform for that matter.
Also it is not very common to have the secondary mgmt ethernet configured or in use.
In addition to that, if it is configured and in use, it is not likely to be exposed to the internet.
Finally the mgmt interfaces are not routed, that is, fabric doesnt have access to these interfaces, nor do the mgmt interfaces have an ability to inject packets into the fabric.
I just wanted to give a bit more context to the item described and published that yes we do acknowledge it is an issue, but realistically the exposure to it is limited based on the criterias mentioned above.
hopefully it helps putting some context around the "scare" that may have been raised!!
Hello , I have a RR in the network and I want it to send all of the available paths to the Clients ,in order to do that, I have enabled the add-path feature on the RR as follow: router bgp 2152bgp router-id 18.104.22.168address-family ipv4 unicast...
I have been testing some as-path match scenarios using BGP filtering and I found that on IOS XE, following two Regex matches giving the same results.What I want is to match is, any prefix if it originated from 12031 ( I don't care what path it took to get...
Good afternoon, I have the following problem, I have an ASR 9006 as a core router + fortinet 3600C firewall, they are connected with an interface of 10Gbps with MTU of 1500, when I perform a ping I always lose 1 ping although these are directly connected,...
Hi,I am trying to configure this scenario between two ASR 9k but, I cannot get the standby link to work, the status of the LACP link is always "Link Defaulted; LACPDUs are not being received from the partner" The scenario is the following: Leaf and s...