• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-20714- A Denial Of Service In ASR 9000 Series Routers
How to Fix CVE-2022-20714- A Denial of Service in ASR 9000 Series Routers

The network appliances manufacturer giant Cisco published an advisory on 13th April in which Cisco detailed a denial of service vulnerability in Cisco ASR 9000 Series Routers. The vulnerability tracked as CVE-2022-20714 is a high severity vulnerability with a CVSS score of 8.6 out of 10. The flaw allows an unauthenticated, remote attacker to cause the line card to reset on the vulnerable device. Since this flaw causes the Lightspeed-Plus line card to reset in the routers, resulting in a denial of service (DoS) condition for any traffic that traverses that line card in the affected devices. It is important to fix the CVE-2022-20714 vulnerability. Let’s see how to fix CVE-2022-20732, a denial of service in ASR 9000 series routers lightspeed-plus line card.

About Cisco ASR 9000 Series Aggregation Services Routers:

Cisco ASR 9000 Series Aggregation Services Routers are powerful networking devices that provide a range of advanced features for enhanced network performance and reliability. Designed for fast, high-bandwidth data transmissions, these routers deliver unparalleled throughput and scalability to meet the demands of today’s complex network environments.

With multiple modular line cards, Cisco ASR 9000 Series routers can support up to 320Gb/s capacity with unmatched density per unit size. They also offer a variety of modular port options, including 10GE ports, 100GE ports, optical interfaces, ethernet switching modules, and hundreds of other high-performance interface choices. This flexibility makes them well-suited for use in a wide range of applications, including enterprise WANs and data center interconnects.

Cisco ASR 9000 Series routers also offer a wealth of features for enhanced network security and resiliency. With support for Cisco IOS XR Software, they offer industry-leading levels of software stability and reliability. They also feature Cisco Quantum Flow Processors (QFPs) for advanced traffic management and quality of service (QoS) capabilities. And with integrated security features such as Cisco firewalls and intrusion prevention systems (IPS), they provide a robust solution for protecting your network against external threats.

Some key features of Cisco ASR 9000 routers include:

  • High throughput capacity to support large volumes of network traffic, with up to 128 GBps line card capacity across all slots.
  • Advanced routing capabilities, including support for a full suite of Layer 2 through Layer 7 protocols and integrated MPLS capabilities.
  • Flexible modular design that allows you to scale your network capacity by simply adding more bandwidth or capabilities as your needs evolve.
  • Robust security features, including integrated firewall, IPS, and VPN capabilities that help to protect your network from external threats.

Whether you’re looking to upgrade your existing network infrastructure or build a new one from scratch, Cisco ASR 9000 Series Aggregation Services Routers are an ideal choice for high-performance networking. With their advanced features and flexibility, they can help you meet the challenges of today’s complex network environments.

Summary Of CVE-2022-20714:

This is a denial of service vulnerability in the data plane microcode of Lightspeed-Plus line cards of Cisco ASR 9000 Series Routers. The flaw is due to the improper procession of malformed packets that are received on the Lightspeed-Plus line cards. This flaw is easy to exploit just by sending a crafted IPv4 or IPv6 packet through an affected device and allows an unauthenticated, remote attacker to cause the line card to reset and create a denial of service condition for any traffic that traverses that line card.

Associated CVE IDCVE-2022-20714
DescriptionA denial of service in ASR 9000 series routers lightspeed-plus line card.
Associated ZDI ID
CVSS Score8.6 High
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeChanged
Confidentiality (C)None
Integrity (I)None
availability (a)High

Products Affected By CVE-2022-20714:

The flaw affects Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers if these products run Cisco IOS XR 64-bit Software v7.3 and earlier with a Lightspeed-Plus-based line card installed on it.

List of products affected by CVE-2022-20714 are:

  • Cisco ASR 9000 Series Aggregation Services Routers
  • ASR 9902 Compact High-Performance Routers
  • ASR 9903 Compact High-Performance Routers

List of Lightspeed-Plus-based line card affected by CVE-2022-20714 are:

  • A9K-4HG-FLEX-SE
  • A9K-4HG-FLEX-TR
  • A9K-8HG-FLEX-SE
  • A9K-8HG-FLEX-TR
  • A9K-20HG-FLEX-SE
  • A9K-20HG-FLEX-TR
  • A99-4HG-FLEX-SE
  • A99-4HG-FLEX-TR
  • A99-10X400GE-X-SE
  • A99-10X400GE-X-TR
  • A99-32X100GE-X-SE
  • A99-32X100GE-X-TR

Products Safe From CVE-2022-20714:

The vendor has confirmed that these below products are not affected by the flaw:

  • IOS Software
  • IOS XE Software
  • IOS XR Platforms not listed in the Vulnerable Products section of this advisory
  • NX-OS Software

How To Determine Your Device Is Vulnerable To CVE-2022-20714?

There are two checks to validate your device is vulnerable:

  1. Check the version of Cisco IOS XR. If your IOS is less than or equal to v7.3, then the product is vulnerable.
  2. Check which Line Cards are installed on your devices. You can refer the ‘Products Affected’ section to see the list of vulnerable Line Cards.

Run these command to see the Cisco IOS version and Line Card module installed on the device:

# show version

# show platform

How To Validate If your Device Is Exploited?

Search this log in the logs of the device. You device would be exploited if you see this log.

npu_server[351]: %PLATFORM-NP-4-HARD_RESET_START : NP0: Performing recovery action for an internal network processor error. (PA2REG.ppe_int1)

How To Fix CVE-2022-20714- A Denial Of Service In ASR 9000 Series Routers?

Cisco has released free software updates to fix the CVE-2022-20714 flaw. We recommend upgrading the IOS version to 7.4 and later.

Cisco IOS XR Software ReleaseFirst Fixed Release
7.0 and earlierNot vulnerable.
7.1Vulnerable; migrate to a fixed release or apply an SMU or Service Pack.
7.2Not vulnerable; no ASR9K support.
7.37.3.2
7.4 and laterNot affected.

SMUs for v 7.1:

Cisco IOS XR Software ReleasePlatformSMU Name
7.1.2ASR9K-X64asr9k-x64-7.1.2.CSCvy48962
7.1.3ASR9K-X64asr9k-x64-7.1.3.CSCvz75757

Service pack for v7.1 with SMU:

Cisco IOS XR Software ReleasePlatformService Pack Name
7.1.2ASR9K-X64asr9k-px-7.1.2.k9-sp1.tar

We hope this post will help you know how to fix CVE-2022-20732, a denial of service in ASR 9000 series routers lightspeed-plus line card. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

To know more about me. Follow me on LinkedIn
Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.