October 16, 2023 at 04:52PM
Cisco has disclosed a critical zero-day vulnerability in the Web User Interface of its IOS XE operating system. The flaw, assigned as CVE-2023-20198, affects all Cisco IOS XE devices with the Web UI feature enabled and allows attackers to create an account with complete device control. Cisco advises customers to disable the HTTPS Server feature to mitigate the vulnerability.
According to the meeting notes, Cisco is urging customers to immediately disable the HTTPS Server feature on all Internet-facing IOS XE devices. This action is necessary to protect against a critical zero-day vulnerability in the Web User Interface of the operating system. The vulnerability, assigned as CVE-2023-20198, affects all Cisco IOS XE devices with the Web UI feature enabled.
The flaw allows a remote, unauthenticated attacker to create an account on the affected system with privilege level 15 access. This access enables complete device takeover, granting the attacker control over the system. The severity of this vulnerability has been rated as 10 out of 10 on the CVSS scale by Cisco.
An unknown attacker has been actively exploiting this flaw to gain access to Cisco Internet-facing IOS XE devices. They have been dropping a Lua-language implant that allows for arbitrary command execution on affected systems. The attacker leverages another flaw, CVE-2021-1435, a medium severity command injection vulnerability in the Web UI component of IOS XE, which Cisco has already patched. Surprisingly, the threat actor has been able to deliver the implant even on devices that are fully patched against CVE-2021-1435.
Cisco first became aware of the vulnerability when responding to an incident involving unusual behavior on a customer device. Further investigation revealed that malicious activity related to the vulnerability may have started as early as September 18. The attacker has been creating local user accounts with admin privileges and performing other malicious actions.
The implant dropped by the attacker requires a Web server restart to become active. In some cases, the server was not restarted, preventing the implant from activating. However, the local user accounts created by the attacker via CVE-2023-20198 are persistent and grant continued administrator-level access even after a device reboot.
Cisco Talos researchers advise organizations to be vigilant for new or unexplained users on IOS XE devices, as this could indicate exploitation of the vulnerability. They also provide a command that organizations can use to check for the presence of the implant on affected devices.
Cisco strongly recommends that organizations immediately implement the guidance provided in Cisco’s Product Security Incident Response Team (PSIRT) advisory. The same threat actor is believed to be responsible for both clusters of malicious activity related to this vulnerability.
It should be noted that this is the second significant vulnerability in Cisco IOS XE’s Web UI component that has been disclosed recently. In September, Cisco disclosed CVE-2023-20231, a command injection vulnerability that also allowed for level 15 privileges on IOS XE devices.
Given the value of zero-day vulnerabilities and those that grant administrator-level privileges on network technologies, such as those from Cisco, it is crucial for organizations to take prompt action to protect their systems. Network routers, switches, firewalls, and other similar technologies are attractive targets for attackers due to the control they have over network traffic.