October 17, 2023 at 07:12AM
Cisco has issued a warning about a zero-day vulnerability, CVE-2023-20198, affecting its IOS XE software. The vulnerability allows remote attackers to gain privileged access and take control of devices, potentially modifying network routing rules and exfiltrating data. Cisco has observed active exploitation of the vulnerability and is working on a patch. In the meantime, they advise disabling the HTTP Server feature and provide a list of indicators of compromise.
Key takeaways from the meeting notes:
1. Cisco has issued a warning about a new zero-day vulnerability affecting its IOS XE software, which is being exploited to hack devices.
2. The vulnerability, known as CVE-2023-20198, allows a remote, unauthenticated attacker to escalate privileges and gain control of the device.
3. Attackers can modify network routing rules, open ports for data exfiltration, and remain undetected for extended periods if they create administrative accounts with innocuous names.
4. The vulnerability can be exploited either from the network or directly from the internet if the targeted device is exposed.
5. Cisco’s Talos unit discovered attacks exploiting CVE-2023-20198 on September 28 and found that malicious activity started as early as September 18 and continued into October.
6. Hackers deployed an implant consisting of a configuration file, enabling them to execute arbitrary commands at the system or IOS level.
7. The implant is delivered through the exploitation of another vulnerability, CVE-2021-1435, patched by Cisco in March 2021.
8. The implant is not persistent, but the accounts created by the attackers remain even after the device is rebooted.
9. Cisco is working on a patch for CVE-2023-20198, but until it is available, customers are advised to disable the HTTP Server feature on their internet-facing systems.
10. The US cybersecurity agency CISA has added CVE-2023-20198 to its Known Exploited Vulnerabilities Catalog and instructed government organizations to implement mitigations by October 20.