CVE-2023-20198 zero-day widely exploited to install implants on Cisco IOS XE systems

Pierluigi Paganini October 17, 2023

Threat actors exploited the recently disclosed zero-day flaw (CVE-2023-20198) in a large-scale hacking campaign on Cisco IOS XE devices.

Threat actors have exploited the recently disclosed critical zero-day vulnerability (CVE-2023-20198) to compromise thousands of Cisco IOS XE devices, security firm VulnCheck warns.

Cisco this week warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. The IT giant found the vulnerability during the resolution of multiple Technical Assistance Center (TAC) support cases.

The vulnerability can be exploited by an attacker to gain administrator privileges and take over vulnerable routers.

The advisory published by the vendor states that the exploitation of the vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.

“Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks.” reads the advisory published by the company. “This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.”

The flaw affects physical and virtual devices running with the Web User Interface (Web UI) feature enabled and that have the HTTP or HTTPS Server feature in use.

The company urges administrators to check the system logs for the presence of any of the following log messages where the user could be cisco_tac_admin, cisco_support, or any configured, local user that is unknown to the network.

Cisco recommends admins to disable the HTTP server feature on systems exposed on the Internet.

“Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.” concludes the advisory that also includes Indicators of Compromise (IoCs).”After disabling the HTTP Server feature, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the HTTP Server feature is not unexpectedly enabled in the event of a system reload.”

VulnCheck researchers observed that the vulnerability was exploited in a large-scale hacking campaign targeting Cisco IOS XE routers and switches. The security firm developed and released a scanner used to find systems infected with implants that are exposed on the internet.

“Cisco buried the lede by not mentioning thousands of internet-facing IOS XE systems have been implanted. VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts.” reads the post published by VulnCheck. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.”

The researchers urge organizations using an IOS XE system to determine if their systems have been compromised.

“If your organization uses an IOS XE system, it’s imperative that you determine if your systems have been compromised and take appropriate action once implants have been discovered. While a patch is not yet available, you can protect your organization by disabling the web interface and removing all management interfaces from the internet immediately.” concludes VulnCheck.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco IOS XE)

you might also like

leave a comment