October 30, 2023 at 11:15PM
Public exploit code for the critical Cisco IOS XE vulnerability (CVE-2023-20198) is now available, which has been used to hack tens of thousands of devices. Cisco has released patches for most IOS XE software releases, but internet scans show that thousands of systems are still compromised. Researchers have provided details on how attackers can bypass authentication to create a new user with complete control over the device. Cisco IOS XE devices vulnerable to the exploit can be hijacked, allowing attackers to execute commands for reconnaissance purposes. Cisco has provided updates for the vulnerability, but thousands of devices are likely still hacked.
Key Takeaways from the Meeting Notes:
1. Public exploit code is now available for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198, which was used as a zero-day to hack tens of thousands of devices.
2. Cisco has released patches for most releases of its IOS XE software, but thousands of systems are still compromised.
3. Researchers at Horizon3.ai have shared details on how an attacker can bypass authentication and exploit CVE-2023-20198 to gain complete control over a vulnerable Cisco IOS XE device.
4. The exploit uses an encoded HTTP request to the Web Services Management Agent (WMSA) service in iosd, allowing the attacker to create a new user with full privileges.
5. LeakIX, an intelligence platform, confirms successful hijacking of Cisco IOS XE devices using the CVE-2023-20198 exploit.
6. Cisco has updated its security bulletin and released patches for most versions of IOS XE, except for version 17.3, which is still affected.
7. Threat actors have already exploited the vulnerability, and initial estimates suggest that thousands of devices are still compromised.
8. Internet scans have shown that the malicious implant was present on approximately 60,000 Cisco IOS XE devices exposed on the public web, but the number has decreased after the threat actor made changes to the code.
9. Researchers at Fox-IT have developed a scanning method to detect compromised Cisco IOS XE hosts, revealing close to 38,000 compromised devices.