Pierluigi Paganini
October 23, 2023
Cisco last week warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. The IT giant found the vulnerability during the resolution of multiple Technical Assistance Center (TAC) support cases.
Threat actors have exploited the recently disclosed critical zero-day vulnerability (CVE-2023-20198) to compromise thousands of Cisco IOS XE devices, security firm VulnCheck warned.
The vulnerability can be exploited by an attacker to gain administrator privileges and take over vulnerable routers.
The advisory published by the vendor states that the exploitation of the vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.
“Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks.” reads the advisory published by the company. “This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.”
The flaw affects physical and virtual devices running with the Web User Interface (Web UI) feature enabled and that have the HTTP or HTTPS Server feature in use.
The company urges administrators to check the system logs for the presence of any of the following log messages where the user could be cisco_tac_admin, cisco_support, or any configured, local user that is unknown to the network.
Cisco recommends admins to disable the HTTP server feature on systems exposed on the Internet.
Researchers from LeakIX used the indicators of compromise (IOCs) released by Cisco Talos and found around 30k Cisco IOS XE devices (routers, switches, VPNs) that were infected by exploiting the CVE-2023-20198. Most of the infected devices were in the United States, the Philippines, Chile, and Mexico.
CERT Orange also found a similar number of compromised Cisco IOS XE devices (over 34.5K) using the same IoCs.
Cisco new discovered a second actively exploited IOS XE zero-day vulnerability tracked as CVE-2023-20273.
While investigating attacks exploiting the flaw CVE-2023-20198, Cisco noticed attacks on systems patched against this issue, a circumstance that suggested that threat actors were exploiting a second zero-day flaw.
“Our investigation has determined that the actors exploited two previously unknown issues.” reads the advisory published by the company. “The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access.
The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue.
The IT giant has now addressed both zero-day vulnerabilities and also provided mitigations for them.
| Cisco IOS XE Software Release Train | First Fixed Release | Available |
|---|---|---|
| 17.9 | 17.9.4a | Yes |
| 17.6 | 17.6.6a | TBD |
| 17.3 | 17.3.8a | TBD |
| 16.12 (Catalyst 3650 and 3850 only) | 16.12.10a | TBD |
Cyber security firms observed a rapid drop in the number of infected devices, but the root cause was the attempt of the attackers to hide their infection as reported by Shadowserver Foundation.
💥💥 #Cisco #CVE #CVE-2023-20198 update: something happened today.
— ONYPHE (@onyphe) October 21, 2023
We went down from 40k host with an implant to 1.2k.
We still have roughly the same number of reachable Cisco devices (~60k), but most of them do not show the Talos discovered implant remotely as before. https://t.co/ogetwLLfE6 pic.twitter.com/pWxKRpWr5V
UPDATE: Improved Cisco IOS XE Web UI CVE-2023-20198 implant detection, after threat actor modified their compromised device config (hat tip to @foxit)
— Shadowserver (@Shadowserver) October 23, 2023
30,487 unique IPs on 2023-10-23
Latest data in tonight's compromised website report. Dashboard stats updated after end of day. pic.twitter.com/7SjqduAaGA
“Please note that a potential trace cleaning step is underway to hide the implant (following exploitation of #CVE-2023-20198)” reported CERT Orange Cyberdefense. “Even if you have disabled your WebUI, we recommend that you carry out an investigation to make sure that no malicious users has been added and that its configuration has not been altered”
Even if you have disabled your WebUI, we recommend that you carry out an investigation to make sure that no malicious users has been added and that its configuration has not been altered 2/2
— CERT Orange Cyberdefense (@CERTCyberdef) October 21, 2023
Based on our latest check, 320 implants remaining … Tuesday 10/17: 34 552 ;
— CERT Orange Cyberdefense (@CERTCyberdef) October 22, 2023
Wednesday 10/18: 36 965 ;
Thursday 10/19 4pm CET (cleaning step began): 31 220
Today 10/22 5pm CET: 320#CVE-2023-20198 #CVE-2023-20273 #somethingishappening pic.twitter.com/mh1ugFAfOf
At the time of this publishing, it is still unclear who is behind these attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISCO IOS XE)
