October 17, 2023 at 01:03AM
Cisco has issued a warning about a critical security flaw in its IOS XE software that is being actively exploited. The vulnerability, assigned as CVE-2023-20198, allows remote attackers to create an account with high-level access and gain control of affected systems. The flaw only affects enterprise networking gear with the Web UI feature enabled and exposed to the internet or untrusted networks. Cisco has detected malicious activity linked to the flaw and recommends disabling the HTTP server feature on internet-facing systems to mitigate the risk.
Key takeaways from the meeting notes:
– Cisco has warned about a critical, unpatched security flaw (CVE-2023-20198) in IOS XE software that is actively being exploited.
– The vulnerability affects enterprise networking gear with the Web UI feature enabled and exposed to the internet or untrusted networks.
– The flaw allows a remote attacker to create a privileged account on the affected system and gain control.
– Physical and virtual devices running Cisco IOS XE software with the HTTP or HTTPS server feature enabled are affected.
– Cisco discovered the problem after detecting malicious activity on a customer device in September 2023.
– The activity involved the creation of unauthorized local user accounts, followed by the deployment of a Lua-based implant for executing arbitrary commands.
– The implant is installed by exploiting a now-patched vulnerability (CVE-2021-1435) and an as-yet-undetermined mechanism.
– The backdoor created by the implant is not persistent, but the rogue privileged accounts remain active.
– The same threat actor is presumed to be behind both clusters of activity.
– The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory and added the flaw to the Known Exploited Vulnerabilities catalog.