Catalyst 4500 listening on TCP 6154 on all interfaces

Hi,

We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2
which have TCP port 6154 listening on all interfaces.

Any idea what it could be ?

#show tcp brief all
TCB Local Address Foreign Address (state)
...
5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<<

#show tcp tcb 5A529430
Connection state is LISTEN, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255
Local host: 0.0.0.0, Local port: 6154
Foreign host: UNKNOWN, Foreign port: 0
Connection tableid (VRF): 1
Maximum output segment queue size: 50

Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)

Event Timers (current time is 0xF58354):
Timer Starts Wakeups Next
Retrans 0 0 0x0
TimeWait 0 0 0x0
AckHold 0 0 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
Linger 0 0 0x0
ProcessQ 0 0 0x0

iss: 0 snduna: 0 sndnxt: 0
irs: 0 rcvnxt: 0

sndwnd: 0 scale: 0 maxrcvwnd: 4128
rcvwnd: 4128 scale: 0 delrcvwnd: 0

SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms
minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms
uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms
Status Flags: gen tcbs
Option Flags: VRF id set, keepalive running, nagle, Reuse local address
  Retrans timeout
IP Precedence value : 0

Datagrams (max data segment is 516 bytes):
Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0
Congestion: 0), with data: 0, total data bytes: 0

Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
TCP Semaphore 0x5BEB9B10 FREE

(The command "show control-plane host open-ports" is not available on
this platform/code)

I also think that if it would be a local socket for internal process
communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154.
So this is listening on all interfaces, virtuals and physicals and seam
not to be for internal internal process communication.

Fred

As the zero touch feature is on TCP 4786 (SMI), I vote for either:

- a nsa backdoor
- a default active service

Have you tried to zeroize the config and restart then check if TCP 6154
is still on LISTEN state ?

- a nsa backdoor

it would be a very bad backdoor as it's really easy to see the port
listening...

- a default active service

Maybe, but a service which is not officially registered:
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=6154

in contrary to the SMI (zero touch feature on tcp 4786) which is
registered since almost 10y:
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=4786

Could it be possible that this kind of tcp port is not registered by
Iana because it meant to be used for internal communication only
(internal to the device), or should you register any port usage (even
'private') ?

And yes I've tried to reset to default the config, shutdown all
interface, remove all L3 ip/feature (no ip blabla), and I still see by
default 2 TCP ports on listening state:

Cat4500-SUP7L-E#sh ip prot
*** IP Routing is NSF aware ***

Cat4500-SUP7L-E#
Cat4500-SUP7L-E#sh run | in ip
address-family ipv4
address-family ipv6
no ip routing
ip vrf Liin-vrf
no ip mfib
no ip bootp server
no ip dhcp-client broadcast-flag
no ip igmp snooping
no ipv6 traffic interface-statistics
no ip address
no ip route-cache
no ip address
no ip route-cache
no ip forward-protocol nd
no ip http server
no ip http secure-server
Cat4500-SUP7L-E#
Cat4500-SUP7L-E#
Cat4500-SUP7L-E#show tcp br all
TCB Local Address Foreign Address (state)
5B40BB30 0.0.0.0.4786 *.* LISTEN
5CD5D2D8 0.0.0.0.6154 *.* LISTEN
Cat4500-SUP7L-E#

I will now try to negate all potential active service from the 'show run
all' config but it's not optimal as for example 'vstack' (port 4786)
does not appear in the default config so it would not be disable by this
trivial method.

Fred

Just a wild thought – why not open a TAC case with Cisco and ask them?

I've been told that the TAC center will not take the time to answer as
it's not a 'real' problem, service affecting issue.
And the Cisco community forum on that topic was useless (nobody answer
to a person which already open a topic about this issue 10 months ago).
But you are the 4rd person to tell me to open a TAC, I could have tried
first.
In the meantime Cisco contact me off-list, so I will try with them.

Some Cisco devices use 6154 for ypxfrd.

6154 ypxfrd Portmap Request (Info, Atomic*)

Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port.

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfids.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/protect_tools.html

* bruce.curtis@ndsu.edu (Curtis, Bruce) [Mon 07 May 2018, 18:25 CEST]:

Some Cisco devices use 6154 for ypxfrd.

No, they don't.

6154 ypxfrd Portmap Request (Info, Atomic*)

Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port.
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfids.html

That's a list of supported IDS signatures, not a list of protocols running on a Cisco device.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/protect_tools.html

Same.

Did you just do a Google search for "site:cisco.com 6141" and paste the results in an email? What made you think the original poster hadn't done their homework?

  -- Niels.

reading this - just wondering....do you use the SmartCall home service? I
wonder if that's what is using this.

try this:

no service smart-call-home and see if that disables it...

just a thought

This has not been my experience. TAC specifically has an option when opening a case to "Ask a question". It's purpose is for non-outage queries such as these. I've asked them things such as "How many ARP entries does an ASA 5585X support?" Sometimes I find conflicting information so I need to ask TAC or I'm just too busy to find the answer.

I've learned not to be hesitant to engage them, we pay for the support after all.

Yes, sometimes you will get an engineer who is not helpful. Let them close the case and open another case or insist that the case be moved to another engineer.

Cisco contact me off-line and ask me to share my datas. They will open a
bug id and investigate.
Nothing to say, very pro active.

The bug id is CSCvj35885

Cisco also confirmed that this tcp port is for internal communication
(internal to the device) only and should not be exposed.

Next time I will follow your recommendation about opening a tac case for
information request, and not bother the community.

Thank to all for your tips and ideas.

Best regards,
Fred

NANOG mailing list subscribers:

Hi there\. My name is Dario Ciccarone and I work as an Incident

Manager on the Cisco PSIRT. The Cisco Product Security Incident Response
Team (PSIRT) is responsible for responding to Cisco product security
incidents. The Cisco PSIRT is a dedicated, global team that manages the
receipt, investigation, and public reporting of information about
security vulnerabilities and issues related to Cisco products and
networks. Cisco defines a security vulnerability as an unintended
weakness in a product that could allow an attacker to compromise the
integrity, availability, or confidentiality of the product.

Frederic's email caught our attention, and we would like to provide

some additional context and answers to the behavior by him observed. The
issue observed by Frederic (port 6154/tcp showing up in LISTEN state on
some IOS XE releases) is documented on Cisco bug ID CSCut14378, with the
title "Port 6154/tcp (XTF Agent) shown in LISTEN state on some Cisco IOS
XE releases". The details of this bug can be found on our Bug Search
Tool at the following URL:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut14378

While access to the Bug Search Tool is generally offered as part of

a support contract and requires of an account on cisco.com, Cisco users
*without a support contract* can register for a Guest account by filling
the form at the following URL:

https://idreg.cloudapps.cisco.com/idreg/register.do

This guest account will provide limited privileges on cisco\.com \-

but enough to be able to access the Bug Search Tool and read the
complete Release Note Enclosure for the bug in question. For those NANOG
members that would prefer not to register for a Guest account with Cisco
- I will be providing the full Release Note Enclosure text at the end of
this email.

I would also like to use this opportunity to invite the NANOG

subscribers to reach out to the Cisco PSIRT whenever you observe a
behavior on a Cisco device that may create a concern in regards to the
device's general security posture. The Cisco PSIRT can be reached by
email at psirt@cisco.com - additional information on how to reach us can
be found at the following URL:

https://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html#roosfassv

Thanks,

Dario

Dario Ciccarone <dciccaro@cisco.com>
Incident Manager - CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt

CSCut14378, - "Port 6154/tcp (XTF Agent) shown in LISTEN state on some
Cisco IOS XE releases"

*Symptom:*
The output of the "show tcp brief all" command or the "show ip ports
all" command on a Cisco device running a subset of Cisco IOS XE releases
may show port 6154/tcp in LISTEN state.

Example output from "show tcp brief all" exhibiting this behavior:

IOS-XE#show tcp brief all
TCB Local Address Foreign Address (state)
386F0098 10.122.163.49.23 10.118.116.244.59674 ESTAB
3D639184 10.122.163.49.23 10.118.116.244.59671 TIMEWAIT
38720150 0.0.0.0.4786 *.* LISTEN
3D4B6A78 0.0.0.0.6154 *.* LISTEN
3A7CC28C ::.443 *.* LISTEN
391EDBF4 0.0.0.0.443 *.* LISTEN
3C8C480C ::.80 *.* LISTEN
39B48F38 0.0.0.0.80 *.* LISTEN
9626:37 192.168.1.1.9010 0.0.0.0.* LISTEN
IOS-XE#

Example output from "show ip ports all" exhibiting this behavior:
(truncated)

IOS-XE#show ip ports all
tcp *:6154 *:* LISTEN
309/[IOS]XTF Agent
IOS-XE#

*Conditions:*
No special conditions.

*Workaround:*
There are no workarounds needed.

*Further Problem Description:*
The Cisco XTF (Cross-OS Test Framework) is a Cisco internal tool to
perform product testing during development. Due to an issue with a build
tool, a limited number of Cisco IOS XE releases were shipped with an
embedded Cisco XTF Agent.

The Cisco XTF Agent accepts connections from the XTF manager on port
6154/TCP. It is important to note that even if the "Local Address" and
"Foreign Address" are shown as wildcards on the output of the "show tcp
brief all" command or the "show ip ports all" command (which would imply
the XTF Agent listens on all interfaces, and would accept connections
from any remote source IP address), the XTF Agent is started up with a
set of socket options that only allows it to accept connections sourced
from the Cisco IOS XE Internal VRF. The Cisco IOS XE Internal VRF is
used for internal inter-process communications and is not accessible
from outside the box nor from any other VRF on the box.

Attempts to connect to port 6154/TCP coming from any other VRF on the
box (no VRF, default VRF, Management VRF or any user-defined VRFs) will
be answered with a TCP RST, tearing down the connection. There is no way
to establish a TCP connection to the XTF Agent from outside the internal
VRF.

The following is a complete list of all Cisco IOS XE releases that
shipped with an embedded XTF Agent and will show port 6154/TCP as being
on LISTEN state when executing a "show tcp brief all" command :

* 3.2.0SE, 3.2.1SE, 3.2.2SE, 3.2.3SE
* 3.3.0SE, 3.3.1SE, 3.3.2SE, 3.3.3SE, 3.3.4SE, 3.3.5SE
* 3.5.0E, 3.5.1E, 3.5.2E, 3.5.3E
* 3.6.0E, 3.6.0aE, 3.6.0bE, 3.6.1E, 3.6.2E, 3.6.2aE, 3.6.3E, 3.6.4E,
3.6.5E, 3.6.5aE, 3.6.6E, 3.6.7E, 3.6.7aE, 3.6.7bE, 3.6.8E, 3.6.9E
* 3.7.0E, 3.7.1E

*PSIRT Evaluation:*
The Cisco PSIRT has evaluated this issue and does not meet the criteria
for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.

If you believe that there is new information that would cause a change
in the severity of this issue, please contact psirt@cisco.com for
another evaluation.

Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

PSIRT-0353552144

hi,

thank-you Dario for your input and response from Cisco PSIRT - very
useful and welcome.

alan