a recent publication from cisco PSIRT went out regarding a vulnerability in the ASR9000 that was taken over by various news sites.
since our team was directly involved with the detection of this item I wanted to share a few more details as I feel that the announcements and publications make it seem more severe then it really needs to be.
the issue surrounds the ability to crash the management plane through the secondary mgmt interface of the asr9000.
The asr9000 RSP has 2 mgmt interfaces, 0 and 1. in classic XR they are both bound to the XR control plane. in evolved XR (64 bit) port 0 is bound to the XR control plane, the second interface "1" is bound to the admin plane.
It is very important to call out that this situation is confined to 64bit eXR only for the ASR9000, it doesnt apply to classic 32bit XR nor any other platform for that matter.
Also it is not very common to have the secondary mgmt ethernet configured or in use.
In addition to that, if it is configured and in use, it is not likely to be exposed to the internet.
Finally the mgmt interfaces are not routed, that is, fabric doesnt have access to these interfaces, nor do the mgmt interfaces have an ability to inject packets into the fabric.
I just wanted to give a bit more context to the item described and published that yes we do acknowledge it is an issue, but realistically the exposure to it is limited based on the criterias mentioned above.
hopefully it helps putting some context around the "scare" that may have been raised!!
Hello,I'm experiencing behavior on the NCS540 whereby interfaces which physically exist are being moved to preconfigured interfaces once configuration is added. Interfaces now "missing are ten0/0/0/2, ten0/0/0/3, ten0/0/0/17Example RP/0/RP0/CPU...
ISO images are as close as we can get to the old school classic IOS images from back in they day.
Doing upgrades by putting a new image on the flash, changing the boot pointer and reload was and is still the walhalla of Cisco based devices.
Hello group,I'm struggling to make the PBR working on Nexus7010 (with SUP2,N7K-M132XP-12L and NX-OS 7.3.3 D1) The setup is the following small MPLS topology: <Customer CE router> --- <Nexus7K MPLS PE> --- <MPLS P router> --- &l...