Guest

Preview Tool

Cisco Bug: CSCvu75135 - MGBL-AAA unauthorized users able to pull data through Cisco-IOS-XR-telemetry-model-driven-oper.yang

Last Modified

Oct 13, 2020

Products (1)

  • Cisco ASR 9000 Series Aggregation Services Routers

Known Affected Releases

7.1.2.BASE

Description (partial)

Symptom:
Users without task 'config-services' are able to retrieve operational data of YANG module Cisco-IOS-XR-telemetry-model-driven-oper.yang through YANG based interfaces such as NETCONF, Cisco IOS-XR gRPC, and gNMI.

Conditions:
Users without task 'config-services' are able to retrieve operational data of YANG module Cisco-IOS-XR-telemetry-model-driven-oper.yang through YANG based interfaces such as NETCONF, Cisco IOS-XR gRPC, and gNMI. That is, an user that is not authorized for operational data of Cisco-IOS-XR-telemetry-model-driven-oper.yang could retrieve it.


An example is an user configured as user-group serviceadmin.

RP/0/RP0/CPU0:ios#show user
service
RP/0/RP0/CPU0:ios#show user tasks
Task:             firewall  : READ    WRITE    EXECUTE    DEBUG
Task:                  sbc  : READ    WRITE    EXECUTE    DEBUG
RP/0/RP0/CPU0:ios#show user group
serviceadmin
RP/0/RP0/CPU0:ios#


A NETCONF get request for Cisco-IOS-XR-telemetry-model-driven-oper

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
  <get>
    <filter>
      <telemetry-model-driven xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-telemetry-model-driven-oper"/>
    </filter>
  </get>
</rpc>
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.