Table of Contents
May 3, 2022
|6m
How To Fix CVE-2022-20714- A Denial Of Service In ASR 9000 Series Routers
The network appliances manufacturer giant Cisco published an advisory on 13th April in which Cisco detailed a denial of service vulnerability in Cisco ASR 9000 Series Routers. The vulnerability tracked as CVE-2022-20714 is a high severity vulnerability with a CVSS score of 8.6 out of 10. The flaw allows an unauthenticated, remote attacker to cause the line card to reset on the vulnerable device. Since this flaw causes the Lightspeed-Plus line card to reset in the routers, resulting in a denial of service (DoS) condition for any traffic that traverses that line card in the affected devices. It is important to fix the CVE-2022-20714 vulnerability. Let’s see how to fix CVE-2022-20732, a denial of service in ASR 9000 series routers lightspeed-plus line card.
About Cisco ASR 9000 Series Aggregation Services Routers:
Cisco ASR 9000 Series Aggregation Services Routers are powerful networking devices that provide a range of advanced features for enhanced network performance and reliability. Designed for fast, high-bandwidth data transmissions, these routers deliver unparalleled throughput and scalability to meet the demands of today’s complex network environments.
With multiple modular line cards, Cisco ASR 9000 Series routers can support up to 320Gb/s capacity with unmatched density per unit size. They also offer a variety of modular port options, including 10GE ports, 100GE ports, optical interfaces, ethernet switching modules, and hundreds of other high-performance interface choices. This flexibility makes them well-suited for use in a wide range of applications, including enterprise WANs and data center interconnects.
Cisco ASR 9000 Series routers also offer a wealth of features for enhanced network security and resiliency. With support for Cisco IOS XR Software, they offer industry-leading levels of software stability and reliability. They also feature Cisco Quantum Flow Processors (QFPs) for advanced traffic management and quality of service (QoS) capabilities. And with integrated security features such as Cisco firewalls and intrusion prevention systems (IPS), they provide a robust solution for protecting your network against external threats.
Some key features of Cisco ASR 9000 routers include:
High throughput capacity to support large volumes of network traffic, with up to 128 GBps line card capacity across all slots.
Advanced routing capabilities, including support for a full suite of Layer 2 through Layer 7 protocols and integrated MPLS capabilities.
Flexible modular design that allows you to scale your network capacity by simply adding more bandwidth or capabilities as your needs evolve.
Robust security features, including integrated firewall, IPS, and VPN capabilities that help to protect your network from external threats.
Whether you’re looking to upgrade your existing network infrastructure or build a new one from scratch, Cisco ASR 9000 Series Aggregation Services Routers are an ideal choice for high-performance networking. With their advanced features and flexibility, they can help you meet the challenges of today’s complex network environments.
Summary Of CVE-2022-20714:
This is a denial of service vulnerability in the data plane microcode of Lightspeed-Plus line cards of Cisco ASR 9000 Series Routers. The flaw is due to the improper procession of malformed packets that are received on the Lightspeed-Plus line cards. This flaw is easy to exploit just by sending a crafted IPv4 or IPv6 packet through an affected device and allows an unauthenticated, remote attacker to cause the line card to reset and create a denial of service condition for any traffic that traverses that line card.
| Associated CVE ID | CVE-2022-20714 |
| Description | A denial of service in ASR 9000 series routers lightspeed-plus line card. |
| Associated ZDI ID | – |
| CVSS Score | 8.6 High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Changed |
| Confidentiality (C) | None |
| Integrity (I) | None |
| availability (a) | High |
Products Affected By CVE-2022-20714:
The flaw affects Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers if these products run Cisco IOS XR 64-bit Software v7.3 and earlier with a Lightspeed-Plus-based line card installed on it.
List of products affected by CVE-2022-20714 are:
Cisco ASR 9000 Series Aggregation Services Routers
ASR 9902 Compact High-Performance Routers
ASR 9903 Compact High-Performance Routers
List of Lightspeed-Plus-based line card affected by CVE-2022-20714 are:
A9K-4HG-FLEX-SE
A9K-4HG-FLEX-TR
A9K-8HG-FLEX-SE
A9K-8HG-FLEX-TR
A9K-20HG-FLEX-SE
A9K-20HG-FLEX-TR
A99-4HG-FLEX-SE
A99-4HG-FLEX-TR
A99-10X400GE-X-SE
A99-10X400GE-X-TR
A99-32X100GE-X-SE
A99-32X100GE-X-TR
Products Safe From CVE-2022-20714:
The vendor has confirmed that these below products are not affected by the flaw:
IOS Software
IOS XE Software
IOS XR Platforms not listed in the Vulnerable Products section of this advisory
NX-OS Software
How To Determine Your Device Is Vulnerable To CVE-2022-20714?
There are two checks to validate your device is vulnerable:
Check the version of Cisco IOS XR. If your IOS is less than or equal to v7.3, then the product is vulnerable.
Check which Line Cards are installed on your devices. You can refer the ‘Products Affected’ section to see the list of vulnerable Line Cards.
Run these command to see the Cisco IOS version and Line Card module installed on the device:
# show version
# show platformHow To Validate If your Device Is Exploited?
Search this log in the logs of the device. You device would be exploited if you see this log.
npu_server[351]: %PLATFORM-NP-4-HARD_RESET_START : NP0: Performing recovery action for an internal network processor error. (PA2REG.ppe_int1)How To Fix CVE-2022-20714- A Denial Of Service In ASR 9000 Series Routers?
Cisco has released free software updates to fix the CVE-2022-20714 flaw. We recommend upgrading the IOS version to 7.4 and later.
| Cisco IOS XR Software Release | First Fixed Release |
|---|---|
| 7.0 and earlier | Not vulnerable. |
| 7.1 | Vulnerable; migrate to a fixed release or apply an SMU or Service Pack. |
| 7.2 | Not vulnerable; no ASR9K support. |
| 7.3 | 7.3.2 |
| 7.4 and later | Not affected. |
SMUs for v 7.1:
| Cisco IOS XR Software Release | Platform | SMU Name |
|---|---|---|
| 7.1.2 | ASR9K-X64 | asr9k-x64-7.1.2.CSCvy48962 |
| 7.1.3 | ASR9K-X64 | asr9k-x64-7.1.3.CSCvz75757 |
Service pack for v7.1 with SMU:
| Cisco IOS XR Software Release | Platform | Service Pack Name |
|---|---|---|
| 7.1.2 | ASR9K-X64 | asr9k-px-7.1.2.k9-sp1.tar |
We hope this post would help you know how to fix CVE-2022-20732, a denial of service in ASR 9000 series routers lightspeed-plus line card. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
