October 21, 2023 at 12:33AM
Cisco has alerted users to a zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor. The flaw, tracked as CVE-2023-20273, allows for privilege escalation and the deployment of a malicious implant. Cisco has identified a fix and recommends disabling the HTTP server feature until the fix is deployed starting October 22, 2023. Over 41,000 Cisco devices running the vulnerable software are estimated to have been compromised.
Key Takeaways from Meeting Notes:
1. Cisco has warned about a new zero-day vulnerability in IOS XE that is being actively exploited by an unknown threat actor.
2. The vulnerability, tracked as CVE-2023-20273, involves a privilege escalation flaw in the web UI feature and is part of an exploit chain with CVE-2023-20198.
3. The attacker exploits CVE-2023-20198 to gain initial access and create a local user and password combination with full user access.
4. The attacker then leverages another component of the web UI feature to elevate privileges to root and install a malicious Lua-based implant on the file system.
5. Cisco has identified a fix for both vulnerabilities and will make it available to customers starting October 22, 2023. In the meantime, it is recommended to disable the HTTP server feature.
6. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that the vulnerabilities allow remote actors to take complete control of affected systems.
7. Successful exploitation of the vulnerabilities could give attackers remote access to routers and switches, allowing them to monitor network traffic, inject and redirect network traffic, and establish a persistent presence on the network.
8. More than 41,000 Cisco devices running vulnerable IOS XE software have been compromised by threat actors using these vulnerabilities, mostly affecting smaller entities and individuals.