October 20, 2023 at 06:17PM
Cisco has disclosed two high-severity zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, being actively exploited to compromise Cisco IOS XE devices. The company has found fixes for both vulnerabilities and plans to release them on October 22. Over 40,000 devices have already been compromised. System administrators are urged to disable the vulnerable HTTP server feature and look for suspicious user accounts associated with the attacks.
Key Takeaways from the Meeting Notes:
– Cisco has disclosed a new high-severity zero-day vulnerability, CVE-2023-20273. It is being actively exploited to deploy malicious implants on compromised IOS XE devices.
– The vulnerability is related to the CVE-2023-20198 zero-day, which was revealed earlier.
– Cisco has found a fix for both vulnerabilities and plans to release it to customers via the Cisco Software Download Center starting October 22.
– The previously mentioned CVE-2021-1435 is no longer associated with this activity.
– Unauthenticated attackers have been exploiting the CVE-2023-20198 authentication bypass zero-day since at least September 18 to hack into IOS XE devices.
– The CVE-2023-20273 privilege escalation zero-day is then used to gain root access and take control over the devices.
– It is estimated that over 40,000 Cisco devices running vulnerable IOS XE software have already been compromised.
– Administrators are advised to disable the vulnerable HTTP server feature on all internet-facing systems to block incoming attacks.
– Cisco recommends implementing the guidance outlined in their Product Security Incident Response Team (PSIRT) advisory.
– Suspicious or recently created user accounts should be investigated as potential indicators of malicious activity.
– A specific command (`curl -k -X POST “https://DEVICEIP/webui/logoutconfirm.html?logon_hash=1″`) can be used to detect the malicious implant on compromised devices.
– In a previous incident, Cisco also warned customers to patch another zero-day bug (CVE-2023-20109) in its IOS and IOS XE software, which was targeted by attackers.