Re: Catalyst 4500 listening on TCP 6154 on all interfaces

[Dario Ciccarone <dciccaro () cisco com>]

NANOG mailing list subscribers:

    Hi there. My name is Dario Ciccarone and I work as an Incident
Manager on the Cisco PSIRT. The Cisco Product Security Incident Response
Team (PSIRT) is responsible for responding to Cisco product security
incidents. The Cisco PSIRT is a dedicated, global team that manages the
receipt, investigation, and public reporting of information about
security vulnerabilities and issues related to Cisco products and
networks. Cisco defines a security vulnerability as an unintended
weakness in a product that could allow an attacker to compromise the
integrity, availability, or confidentiality of the product.

    Frederic's email caught our attention, and we would like to provide
some additional context and answers to the behavior by him observed. The
issue observed by Frederic (port 6154/tcp showing up in LISTEN state on
some IOS XE releases) is documented on Cisco bug ID CSCut14378, with the
title "Port 6154/tcp (XTF Agent) shown in LISTEN state on some Cisco IOS
XE releases". The details of this bug can be found on our Bug Search
Tool at the following URL:

    https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut14378

    While access to the Bug Search Tool is generally offered as part of
a support contract and requires of an account on cisco.com, Cisco users
*without a support contract* can register for a Guest account by filling
the form at the following URL:

    https://idreg.cloudapps.cisco.com/idreg/register.do

    This guest account will provide limited privileges on cisco.com -
but enough to be able to access the Bug Search Tool and read the
complete Release Note Enclosure for the bug in question. For those NANOG
members that would prefer not to register for a Guest account with Cisco
- I will be providing the full Release Note Enclosure text at the end of
this email.

    I would also like to use this opportunity to invite the NANOG
subscribers to reach out to the Cisco PSIRT whenever you observe a
behavior on a Cisco device that may create a concern in regards to the
device's general security posture. The Cisco PSIRT can be reached by
email at psirt () cisco com - additional information on how to reach us can
be found at the following URL:

   
https://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html#roosfassv

    Thanks,

    Dario

Dario Ciccarone <dciccaro () cisco com>
Incident Manager - CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt

CSCut14378, - "Port 6154/tcp (XTF Agent) shown in LISTEN state on some
Cisco IOS XE releases"

*Symptom:*
The output of the "show tcp brief all" command or the "show ip ports
all" command on a Cisco device running a subset of Cisco IOS XE releases
may show port 6154/tcp in LISTEN state.

Example output from "show tcp brief all" exhibiting this behavior:

IOS-XE#show tcp brief all
TCB       Local Address               Foreign Address             (state)
386F0098  10.122.163.49.23           10.118.116.244.59674        ESTAB
3D639184  10.122.163.49.23           10.118.116.244.59671        TIMEWAIT
38720150  0.0.0.0.4786               *.*                         LISTEN
3D4B6A78  0.0.0.0.6154               *.*                         LISTEN
3A7CC28C  ::.443                     *.*                         LISTEN
391EDBF4  0.0.0.0.443                *.*                         LISTEN
3C8C480C  ::.80                      *.*                         LISTEN
39B48F38  0.0.0.0.80                 *.*                         LISTEN
9626:37  192.168.1.1.9010       0.0.0.0.*             LISTEN
IOS-XE#

Example output from "show ip ports all" exhibiting this behavior:
(truncated)

IOS-XE#show ip ports all
tcp   *:6154                     *:*                         LISTEN     
309/[IOS]XTF Agent
IOS-XE#

*Conditions:*
No special conditions.

*Workaround:*
There are no workarounds needed.

*Further Problem Description:*
The Cisco XTF (Cross-OS Test Framework) is a Cisco internal tool to
perform product testing during development. Due to an issue with a build
tool, a limited number of Cisco IOS XE releases were shipped with an
embedded Cisco XTF Agent.

The Cisco XTF Agent accepts connections from the XTF manager on port
6154/TCP. It is important to note that even if the "Local Address" and
"Foreign Address" are shown as wildcards  on the output of the "show tcp
brief all" command or the "show ip ports all" command (which would imply
the XTF Agent listens on all interfaces, and would accept connections
from any remote source IP address), the XTF Agent is started up with a
set of socket options that only allows it to accept connections sourced
from the Cisco IOS XE Internal VRF. The Cisco IOS XE Internal VRF is
used for internal inter-process communications and is not accessible
from outside the box nor from any other VRF on the box.

Attempts to connect to port 6154/TCP coming from any other VRF on the
box (no VRF, default VRF, Management VRF or any user-defined VRFs) will
be answered with a TCP RST, tearing down the connection. There is no way
to establish a TCP connection to the XTF Agent from outside the internal
VRF.

The following is a complete list of all Cisco IOS XE releases that
shipped with an embedded XTF Agent and will show port 6154/TCP as being
on LISTEN state when executing a "show tcp brief all" command :

* 3.2.0SE, 3.2.1SE, 3.2.2SE, 3.2.3SE
* 3.3.0SE, 3.3.1SE, 3.3.2SE, 3.3.3SE, 3.3.4SE, 3.3.5SE
* 3.5.0E, 3.5.1E, 3.5.2E, 3.5.3E
* 3.6.0E, 3.6.0aE, 3.6.0bE, 3.6.1E, 3.6.2E, 3.6.2aE, 3.6.3E, 3.6.4E,
3.6.5E, 3.6.5aE, 3.6.6E, 3.6.7E, 3.6.7aE, 3.6.7bE, 3.6.8E, 3.6.9E
* 3.7.0E, 3.7.1E

*PSIRT Evaluation:*
The Cisco PSIRT has evaluated this issue and does not meet the criteria
for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.

If you believe that there is new information that would cause a change
in the severity of this issue, please contact psirt () cisco com for
another evaluation.

Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

PSIRT-0353552144


On 5/3/18 12:51 AM, frederic.jutzet () sig-telecom net wrote:
> Hi,
>
> We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2
> which have TCP port 6154 listening on all interfaces.
>
> Any idea what it could be ?
>
> #show tcp brief all
> TCB       Local Address               Foreign Address             (state)
> ...
> 5A529430  0.0.0.0.6154        <<<<<<<<<<<<<<<<
>
>
> #show tcp tcb 5A529430
> Connection state is LISTEN, I/O status: 1, unread input bytes: 0           
> Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255
> Local host: 0.0.0.0, Local port: 6154
> Foreign host: UNKNOWN, Foreign port: 0
> Connection tableid (VRF): 1
> Maximum output segment queue size: 50
>
> Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)
>
> Event Timers (current time is 0xF58354):
> Timer          Starts    Wakeups            Next
> Retrans             0          0             0x0
> TimeWait            0          0             0x0
> AckHold             0          0             0x0
> SendWnd             0          0             0x0
> KeepAlive           0          0             0x0
> GiveUp              0          0             0x0
> PmtuAger            0          0             0x0
> DeadWait            0          0             0x0
> Linger              0          0             0x0
> ProcessQ            0          0             0x0
>
> iss:          0  snduna:          0  sndnxt:          0
> irs:          0  rcvnxt:          0
>
> sndwnd:      0  scale:      0  maxrcvwnd:   4128
> rcvwnd:   4128  scale:      0  delrcvwnd:      0
>
> SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms
> minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms
> uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms
> Status Flags: gen tcbs
> Option Flags: VRF id set, keepalive running, nagle, Reuse local address
>   Retrans timeout
> IP Precedence value : 0
>
> Datagrams (max data segment is 516 bytes):
> Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0
> Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second
> Congestion: 0), with data: 0, total data bytes: 0
>
>  Packets received in fast path: 0, fast processed: 0, slow path: 0
>  fast lock acquisition failures: 0, slow path: 0
> TCP Semaphore      0x5BEB9B10  FREE
>
>
>
>
>
> (The command "show control-plane host open-ports" is not available on
> this platform/code)
>
>
>
> I also think that if it would be a local socket for internal process
> communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154.
> So this is listening on all interfaces, virtuals and physicals and seam
> not to be for internal internal process communication.
>
>
> Fred

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature