Cisco has issued a warning about a critical zero-day vulnerability in its IOS XE software, which poses a severe security risk. This flaw enables unauthenticated attackers to obtain full administrator privileges, allowing them to remotely control affected routers and switches.
isco has issued a warning about a critical zero-day vulnerability in its IOS XE software, which poses a severe security risk. This flaw enables unauthenticated attackers to obtain full administrator privileges, allowing them to remotely control affected routers and switches.
The vulnerability, identified as CVE-2023-20198, remains unpatched as of now. It exclusively affects devices with the Web User Interface (Web UI) feature enabled and the HTTP or HTTPS Server feature activated. Cisco has detected active exploitation of this vulnerability, particularly when devices are exposed to the internet or untrusted networks. Successful exploitation permits attackers to establish a privileged account with level 15 access, effectively granting them complete control over the compromised device and the potential for unauthorized activities.
Cisco’s Technical Assistance Center (TAC) discovered these attacks on September 28, initially prompted by unusual behavior reports on a customer device. Subsequent investigations traced related malicious activities back to September 18. These activities involved an authorized user creating a local user account named “cisco_tac_admin” from a suspicious IP address (5.149.249[.]74). Cisco also identified additional activity associated with CVE-2023-20198 on October 12, during which a local user account named “cisco_support” was created from another suspicious IP address (154.53.56[.]231). The attackers further deployed a malicious implant to execute arbitrary commands at the system or IOS levels.
Cisco believes that these clusters of activities likely stem from the same actor. The October activity appears to build upon the September events, suggesting an expansion of the operation to establish persistent access through the deployment of the implant.
In terms of mitigation, Cisco advises administrators to disable the HTTP server feature on internet-facing systems. This action will eliminate the attack vector and prevent incoming attacks. Cisco strongly recommends customers use the “no ip http server” or “no ip http secure-server” commands in global configuration mode to disable the HTTP Server feature. After disabling this feature, administrators should execute the “copy running-configuration startup-configuration” command to ensure the HTTP Server feature remains disabled even after a system reload. If both the HTTP and HTTPS servers are active, both commands are necessary to disable the HTTP Server feature.
Additionally, organizations are encouraged to monitor for unexplained or recently created user accounts, which may indicate malicious activity associated with this threat. To detect the presence of the malicious implant on compromised Cisco IOS XE devices, administrators can utilize the following command, replacing “DEVICEIP” with the IP address under investigation:
curl -k -X POST “https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1”
Cisco is actively working on a software fix for this issue and advises customers to follow the outlined security advisory. Updates regarding the investigation will be provided through the security advisory. In a statement, Cisco’s Director for Security Communications, Meredith Corley, emphasized the importance of taking immediate action to address this security concern.
In a related note, Cisco recently alerted its customers to another zero-day vulnerability (CVE-2023-20109) in its IOS and IOS XE software, which had been targeted by attackers in the wild.