Cisco has recently announced a critical zero-day vulnerability in its IOS XE operating system. This vulnerability, cataloged as CVE-2023-20273, presents severe risks to thousands of devices. This issue is further exacerbated by another vulnerability, CVE-2023-20198, which forms part of a complex exploit chain. Together, these vulnerabilities have been exploited by unidentified threat actors to install malicious backdoors.

Risk Scoring

Two vulnerabilities are at the center of this cybersecurity crisis. According to the Common Vulnerability Scoring System (CVSS), CVE-2023-20273 has a score of 7.2, while CVE-2023-20198 has a staggering score of 10.0. These scores indicate the severity of the vulnerabilities, with higher scores suggesting a more critical risk.

Vulnerability Details

Initial Attack Vector

The attacker starts by exploiting CVE-2023-20198 to gain initial access to the vulnerable system. They execute a command to establish a local user account. This account provides the attacker with regular user access, which serves as a launching pad for further exploits.

Privilege Escalation

Once initial access is secured, the attacker exploits CVE-2023-20273. Utilizing the web UI feature in the IOS XE operating system, the attacker uses the newly created user to escalate privileges to the root level. The Lua-based malicious implant is then written to the file system.

Wider Implications

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that successful exploitation could give an attacker full control over a compromised system. Given the absence of adequate protection measures, attackers could then perform a range of activities, from monitoring network traffic to establishing persistent entry points into the network.

Scale of the Problem

According to estimations from Censys and LeakIX, over 40,000 devices running the vulnerable Cisco IOS XE software have already been compromised. This number is continually rising, posing significant threats to enterprise networks. Current data from Shodan reveals that more than 146,000 potentially vulnerable systems are open to attacks.

Administrator Guidance

Monitoring

Administrators are urged to look for recently created or suspicious user accounts, which could indicate an ongoing attack. Cisco recommends disabling the HTTP/S server feature on internet-facing systems to mitigate risks.

Identification of Malicious Implants

To identify malicious implants, administrators should use the curl command, as described in Cisco’s security advisory, on the compromised device.

Recommendations

Patch and Update

As soon as patches become available, update all affected devices to the most secure software version.

Continuous Monitoring

Monitor network activity meticulously, especially on devices running Cisco IOS XE. Be vigilant for any signs of unauthorized access or newly created user accounts.

Disable Unnecessary Features

Deactivate the HTTP/S server feature on devices exposed to the internet to reduce the attack surface.

Network Segmentation

Isolate critical systems from less critical ones to prevent attackers from moving laterally within the network.

Security Awareness Training

Training staff in cybersecurity awareness can prove crucial in recognizing and responding to potential security threats.

Indicators of Compromise (IoCs)

  • IP Addresses:
    • 5.149.249[.]74
    • 154.53.56[.]231
    • 154.53.63[.]93
  • Usernames:
    • cisco_tac_admin
    • cisco_support
    • cisco_sys_manager

Final Thoughts

The discovery of these vulnerabilities in Cisco’s IOS XE software underscores the perpetual risks in today’s digital world. Organizations utilizing Cisco networking devices need to take immediate action to mitigate these vulnerabilities, given that threat actors have already exploited them. Continuous monitoring, timely updates, and cybersecurity awareness among staff are crucial for managing this crisis effectively.

Also Read:

Categorized in:

Computer TricksCyber Security

Tagged in:

, , , , , , ,