NANOG mailing list subscribers: Hi there. My name is Dario Ciccarone and I work as an Incident Manager on the Cisco PSIRT. The Cisco Product Security Incident Response Team (PSIRT) is responsible for responding to Cisco product security incidents. The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Cisco products and networks. Cisco defines a security vulnerability as an unintended weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of the product. Frederic's email caught our attention, and we would like to provide some additional context and answers to the behavior by him observed. The issue observed by Frederic (port 6154/tcp showing up in LISTEN state on some IOS XE releases) is documented on Cisco bug ID CSCut14378, with the title "Port 6154/tcp (XTF Agent) shown in LISTEN state on some Cisco IOS XE releases". The details of this bug can be found on our Bug Search Tool at the following URL: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut14378 While access to the Bug Search Tool is generally offered as part of a support contract and requires of an account on cisco.com, Cisco users *without a support contract* can register for a Guest account by filling the form at the following URL: https://idreg.cloudapps.cisco.com/idreg/register.do This guest account will provide limited privileges on cisco.com - but enough to be able to access the Bug Search Tool and read the complete Release Note Enclosure for the bug in question. For those NANOG members that would prefer not to register for a Guest account with Cisco - I will be providing the full Release Note Enclosure text at the end of this email. I would also like to use this opportunity to invite the NANOG subscribers to reach out to the Cisco PSIRT whenever you observe a behavior on a Cisco device that may create a concern in regards to the device's general security posture. The Cisco PSIRT can be reached by email at psirt@cisco.com - additional information on how to reach us can be found at the following URL: https://www.cisco.com/c/en/us/about/security-center/security-vulnerability-p... Thanks, Dario Dario Ciccarone <dciccaro@cisco.com> Incident Manager - CCIE #10395 Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. PGP Key ID: 0xBA1AE0F0 http://www.cisco.com/go/psirt CSCut14378, - "Port 6154/tcp (XTF Agent) shown in LISTEN state on some Cisco IOS XE releases" *Symptom:* The output of the "show tcp brief all" command or the "show ip ports all" command on a Cisco device running a subset of Cisco IOS XE releases may show port 6154/tcp in LISTEN state. Example output from "show tcp brief all" exhibiting this behavior: IOS-XE#show tcp brief all TCB Local Address Foreign Address (state) 386F0098 10.122.163.49.23 10.118.116.244.59674 ESTAB 3D639184 10.122.163.49.23 10.118.116.244.59671 TIMEWAIT 38720150 0.0.0.0.4786 *.* LISTEN 3D4B6A78 0.0.0.0.6154 *.* LISTEN 3A7CC28C ::.443 *.* LISTEN 391EDBF4 0.0.0.0.443 *.* LISTEN 3C8C480C ::.80 *.* LISTEN 39B48F38 0.0.0.0.80 *.* LISTEN 9626:37 192.168.1.1.9010 0.0.0.0.* LISTEN IOS-XE# Example output from "show ip ports all" exhibiting this behavior: (truncated) IOS-XE#show ip ports all tcp *:6154 *:* LISTEN 309/[IOS]XTF Agent IOS-XE# *Conditions:* No special conditions. *Workaround:* There are no workarounds needed. *Further Problem Description:* The Cisco XTF (Cross-OS Test Framework) is a Cisco internal tool to perform product testing during development. Due to an issue with a build tool, a limited number of Cisco IOS XE releases were shipped with an embedded Cisco XTF Agent. The Cisco XTF Agent accepts connections from the XTF manager on port 6154/TCP. It is important to note that even if the "Local Address" and "Foreign Address" are shown as wildcards on the output of the "show tcp brief all" command or the "show ip ports all" command (which would imply the XTF Agent listens on all interfaces, and would accept connections from any remote source IP address), the XTF Agent is started up with a set of socket options that only allows it to accept connections sourced from the Cisco IOS XE Internal VRF. The Cisco IOS XE Internal VRF is used for internal inter-process communications and is not accessible from outside the box nor from any other VRF on the box. Attempts to connect to port 6154/TCP coming from any other VRF on the box (no VRF, default VRF, Management VRF or any user-defined VRFs) will be answered with a TCP RST, tearing down the connection. There is no way to establish a TCP connection to the XTF Agent from outside the internal VRF. The following is a complete list of all Cisco IOS XE releases that shipped with an embedded XTF Agent and will show port 6154/TCP as being on LISTEN state when executing a "show tcp brief all" command : * 3.2.0SE, 3.2.1SE, 3.2.2SE, 3.2.3SE * 3.3.0SE, 3.3.1SE, 3.3.2SE, 3.3.3SE, 3.3.4SE, 3.3.5SE * 3.5.0E, 3.5.1E, 3.5.2E, 3.5.3E * 3.6.0E, 3.6.0aE, 3.6.0bE, 3.6.1E, 3.6.2E, 3.6.2aE, 3.6.3E, 3.6.4E, 3.6.5E, 3.6.5aE, 3.6.6E, 3.6.7E, 3.6.7aE, 3.6.7bE, 3.6.8E, 3.6.9E * 3.7.0E, 3.7.1E *PSIRT Evaluation:* The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.h... PSIRT-0353552144 On 5/3/18 12:51 AM, frederic.jutzet@sig-telecom.net wrote:
Hi,
We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces.
Any idea what it could be ?
#show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<<
#show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0
iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0
sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0
SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0
Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0
Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE
(The command "show control-plane host open-ports" is not available on this platform/code)
I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication.
Fred