Cisco IOS XR Software Management Interface ACL Bypass Vulnerability

TL;DR 📌

A medium-severity vulnerability in Cisco IOS XR Software allows unauthenticated remote attackers to bypass access control lists (ACLs) on the management interface for SSH, NetConf, and gRPC features. Users are advised to upgrade to fixed software releases or implement workarounds.

What happened 🕵️‍♂️

A vulnerability was identified in the management interface ACL processing feature of Cisco IOS XR Software. This flaw allows unauthenticated remote attackers to bypass configured ACLs, potentially leading to unauthorized access to management features like SSH, NetConf, and gRPC. The issue arises because management interface ACLs are not enforced on certain Linux-handled features within the Packet I/O infrastructure.

Affected products 🖥️

The vulnerability affects the following Cisco platforms and IOS XR Software releases with an IPv4 or IPv6 ACL attached to the management interface:

• 8000 Series Routers (Software image earlier than the first fixed release)
• ASR 9000 Series Routers (Releases 24.1.1 and later but earlier than the first fixed release)
• IOS XR White box (Releases 7.9.1 and later but earlier than the first fixed release)
• IOS XRd vRouters (Software image earlier than the first fixed release)
• IOS XRv 9000 Routers (Releases 24.1.1 and later but earlier than the first fixed release)
• NCS 540 Series Routers (NCS540-iosxr base image) (Releases 7.9.1 and later but earlier than the first fixed release)
• NCS 540 Series Routers (NCS540L-iosxr base image) (All releases earlier than the first fixed release)
• NCS 560 Series Routers (Releases 24.2.1 and later but earlier than the first fixed release)
• NCS 1010 Platforms (Software image earlier than the first fixed release)
• NCS 1014 Platforms (Software image earlier than the first fixed release)
• NCS 5500 Series Routers (Releases 7.9.1 and later but earlier than the first fixed release)
• NCS 5700 Series Routers (NCS5700 base image earlier than the first fixed release)

Fixed software 🔧

Upgrade to the first fixed release in your train (or later):

Workarounds 🧯

There are no workarounds for attaching the IPv4 or IPv6 ACL to the management interface to block gRPC, SSH, or NETCONF over SSH. Customers must migrate to a fixed release that introduces support for this feature. However, a workaround is available for customers unable to upgrade; they should contact the Cisco Technical Assistance Center (TAC) for coordination.

Risk in context 🎯

The vulnerability has a CVSS score of 5.3, indicating a medium risk. It allows unauthenticated access and could lead to unauthorized control over management features, impacting network security. The exposure is primarily driven by the management interfaces being accessible over the network. Immediate remediation is recommended through software upgrades or contacting TAC for workarounds.

Fast facts ⚡

• Vulnerability: ACL Bypass in Cisco IOS XR Software
• CVSS Score: 5.3 (Medium)
• Exploitation: Unauthenticated remote access possible
• Affected Features: SSH, NetConf, gRPC
• Remediation: Upgrade to fixed releases or contact TAC for workarounds

For leadership 🧭

The Cisco IOS XR Software vulnerability presents a medium risk (CVSS 5.3) that could allow unauthorized access to management features, potentially impacting network security. The exposure is primarily from unauthenticated access over the network, with no lateral movement or availability impact noted.

Remediation Ask: Upgrade to fixed software releases within 30 days to mitigate this risk.

Operational Impact: Upgrading will require a brief maintenance window, with no expected configuration drift.

Now / Next / Later:

• Now: Identify affected devices and plan for upgrades.
• Next: Execute software upgrades to fixed releases.
• Later: Monitor for any updates or additional advisories from Cisco.