October 16, 2023 at 11:52AM
Cisco has warned administrators about a severe zero-day vulnerability in its IOS XE Software that allows attackers to gain full control of affected routers. The vulnerability, identified as CVE-2023-20198, only affects devices with the Web User Interface feature enabled and the HTTP or HTTPS Server feature toggled on. Cisco advises disabling the HTTP Server feature and recommends looking for suspicious user accounts. Last month, Cisco also alerted customers to another zero-day vulnerability in its IOS and IOS XE software.
Key Takeaways from the Meeting Notes:
– Cisco has identified a new and severe zero-day vulnerability in its IOS XE Software that allows attackers to gain full administrator privileges and control affected routers.
– The vulnerability (CVE-2023-20198) specifically affects physical and virtual devices with the Web User Interface (Web UI) feature enabled and the HTTP or HTTPS server feature toggled on.
– Cisco has observed active exploitation of this vulnerability and warns that it can lead to unauthorized access and subsequent unauthorized activity on compromised devices.
– The attacks were first discovered on September 28 and further investigation revealed related activity dating back to September 18.
– The malicious activity involved creating local user accounts with suspicious usernames from suspicious IP addresses (5.149.249[.]74 and 154.53.56[.]231) as well as deploying a malicious implant to execute arbitrary commands.
– Cisco believes that these clusters of activity were carried out by the same actor, with the October activity building off the September activity.
– To mitigate the vulnerability, Cisco recommends disabling the HTTP server feature on internet-facing systems and removing the attack vector. This can be achieved by using the appropriate configuration commands and saving the configuration afterwards.
– Organizations are advised to also look for unexplained or recently created user accounts as potential signs of malicious activity.
– A command example is provided for detecting the presence of the malicious implant on compromised devices running Cisco IOS XE.
– It is worth noting that last month Cisco also warned customers about another zero-day vulnerability (CVE-2023-20109) in its IOS and IOS XE software that was being targeted by attackers.