Cisco IOS XR Software supports a programmatic way of configuring and collecting operational data on a network device using data models. Data models provide access to the capabilities of the devices in a network using NETCONF or gRPC.
According to Cisco IOS XR Software configuration guides, if NETCONF or gRPC are enabled on a device, authentication, authorization, and accounting (AAA) authorization should be configured to prevent unauthorized access:
Configure AAA authorization to restrict users from uncontrolled access. If AAA authorization is not configured, the command and data rules associated to the groups that are assigned to the user are bypassed. An IOS-XR user can have full read-write access to the IOS-XR configuration through Network Configuration Protocol (NETCONF), google-defined Remote Procedure Calls (gRPC) or any YANG-based agents. In order to avoid granting uncontrolled access, enable AAA authorization using aaa authorization exec command before setting up any configuration
This informational advisory describes the impact of not having AAA authorization configured on a device when NETCONF or gRPC (gRPC Network Management Interface or gRPC Network Operations Interface) are configured.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-info-GXp7nVcP
This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication.
Security Impact Rating: Informational
Source:: Cisco Security Advisories