Pierluigi Paganini October 16, 2023

Cisco warned customers of a critical zero-day vulnerability in its IOS XE Software that is actively exploited in attacks.

Cisco warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. The IT giant found the vulnerability during the resolution of multiple Technical Assistance Center (TAC) support cases.

The vulnerability can be exploited by an attacker to gain administrator privileges and take over vulnerable routers.

The advisory published by the vendor states that the exploitation of the vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.

“Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks.” reads the advisory published by the company. “This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.”

The flaw affects physical and virtual devices running with the Web User Interface (Web UI) feature enabled and that have the HTTP or HTTPS Server feature in use.

The company urges administrators to check the system logs for the presence of any of the following log messages where the user could be cisco_tac_admin, cisco_support, or any configured, local user that is unknown to the network.

Cisco Talos researchers first spotted attacks exploiting the flaw on September 28, 2023.

“The activity included an authorized user creating a local user account under the username “cisco_tac_admin” from a suspicious IP address (5.149.249[.]74). Instances of this activity ended on October 1, and we did not observe any other associated behavior at that time other than the suspicious account creation.” states Cisco Talos. “On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what we later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name “cisco_support” from a second suspicious IP address (154.53.56[.]231). Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (“cisco_service.conf”).”

The researchers believe that the clusters of activity were likely carried out by the same actor.

The cluster observed in September likely was an initial attempt of the threat actors to test their code, while the October activity was linked to the expansion of the operation to include establishing persistent access via the deployment of the implant.

Cisco recommends admins to disable the HTTP server feature on systems exposed on the Internet.

“Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.” concludes the advisory that also includes Indicators of Compromise (IoCs).”After disabling the HTTP Server feature, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the HTTP Server feature is not unexpectedly enabled in the event of a system reload.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)