This article is more than 1 year old

Cisco whispers the three little words to really get an ASR 9000 net admin's blood pumping: Remote unauthenticated access

Critical patch available now for those with vulnerable kit

Cisco has issued a security patch for a flaw in some of its routers that can be exploited by miscreants to potentially rifle through telecommunications networks.

Switchzilla says the vulnerable kit – the ASR 9000, a family of high-end gear aimed at carrier and telco edge deployments – can, in certain circumstances, be hijacked by unauthenticated hackers if they can reach it across the internet or internal network.

According to the US tech giant, the flaw lies within the system administration virtual machine used by the devices' IOS XR 64-bit operating system:

A vulnerability in the sysadmin virtual machine (VM) on Cisco ASR 9000 Series Aggregation Services Routers running Cisco IOS XR 64-bit Software could allow an unauthenticated, remote attacker to access internal applications running on the sysadmin VM.

The vulnerability is due to incorrect isolation of the secondary management interface from internal sysadmin applications. An attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device.

It went on to clarify:

This vulnerability affects Cisco ASR 9000 Series Aggregation Services Routers that are running an affected version of Cisco IOS XR 64-bit Software and have the secondary management interface (physically MGT LAN 1 on the route switch processor (RSP)) connected and configured.

The best way to address the flaw is to install the latest version of the IOS XR firmware (6.5.3 or 7.0.1). The update is available for free to organizations running a supported and previously or currently licensed version of IOS.

Admins who are unable to get the patch can also lock down their routers by editing the calvados_bootstrap.cfg file within the sysadmin VM:


Should be changed to


Cisco notes that no other router models or firmware versions are vulnerable, and no attacks on the flaw have been reported in the wild yet. Chipzilla credits its own internal testing for discovering the flaw, designated CVE-2019-1710.

In a separate bulletin, Cisco notified admins that a 2017 vulnerability in IOS was among those exploited by the Sea Turtle hacker crew behind DNS-based cyber-attacks on the Middle East and North Africa. ®

More about


Send us news

Other stories you might like