CVSS 10 Cisco bug is getting exploited, has no patch

"We have also seen devices... getting the implant successfully installed through an as of yet undetermined mechanism."

CVSS 10 Cisco bug is getting exploited, has no patch

Cisco IOS XE software is exposed to a critical CVSS 10 vulnerability that lets remote, unauthenticated attackers fully take over affected systems.

The vulnerability, allocated CVE-2023-20198, is still unpatched, being exploited in the wild, and has exposed over 140,000 instances to attack. 

To be vulnerable, Cisco IOS XE devices have to be running an HTTP/S server providing the web user interface; seemingly not an uncommon configuration. Cisco Talos notes that “Successful exploitation would grant an attacker full administrator privileges, allowing them to effectively take full control... allowing possible subsequent unauthorized activity.”

The company said in an October 16 security advisory that it has found evidence of exploitation/the vulnerability “during the resolution of multiple Cisco TAC [technical assistance centre] support cases.” 

(Cisco IOS XE is an OS that runs on Cisco routers and switches. Cisco describes it as letting users “automate mundane day-to-day operations” across “switching, routing, and wireless network devices…”)

Limited attacks appear to have been happening since September 18. With the increased attention the advisory has brought, new threat actors are likely to start automating more aggressive exploits near-term.

Cisco IOS XE vulnerability CVE-2023-20198

Cisco said in its advisory: “Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks.

“Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

"The following decision tree can be used to help determine how to triage an environment and deploy protections:

  • Are you running IOS XE?
    • No. The system is not vulnerable. No further action is necessary.
    • Yes. Is ip http server or ip http secure-server configured?
      • No. The vulnerability is not exploitable. No further action is necessary.
      • Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
        • No. Disable the HTTP Server feature.
        • Yes. If possible, restrict access to those services to trusted networks.

CVE-2023-20198 is the second zero-day vulnerability in Cisco’s IOS and IOS XE software targeted by attackers in the wild in less than four weeks, following incidents involving exploitation of CVE-2023-20109.

Mayuresh Dani, Manager, Threat Research, Qualys, said: “Cisco has not provided the list of devices affected, which means that any switch, router or WLC running IOS XE and has the web UI exposed to the internet is vulnerable. Based on my searches using Shodan, there are about 40k Cisco devices that have web UI exposed to the internet. 

“A majority of those are listening on port 80.”

Others have identified over 140,000 exposed instances. 

Cisco Talos said that attacks earlier this month, after initial breaches via  CVE-2023-20198, had “included several subsequent actions, including the deployment of an implant consisting of a configuration file (“cisco_service.conf”). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters… that allows the actor to execute arbitrary commands at the system level or IOS level.”

“Leveraging existing detections, we [also] observed the actor exploiting CVE-2021-1435, for which Cisco provided a patch in 2021, to install the implant after gaining access to the device. We have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as of yet undetermined mechanism” Talos warned

CISA has urged Blue Teams to “apply Cisco's recommendations, hunt for malicious activity, report findings to the cybersecurity agency. 

Join peers following The Stack on LinkedIn

.