Cisco Warns For A Second Zero-Day in IOS XE Exploited for Device Infections
Cisco recently issued a warning about not one but two zero-day vulnerabilities within its IOS XE Software, both actively exploited in the wild. This alarming discovery follows Cisco’s initial disclosure of CVE-2023-20198, a critical zero-day vulnerability with a CVSS score of 10, which is actively under attack.
The company came across these vulnerabilities during its response to multiple Technical Assistance Center (TAC) support cases. Threat actors have not wasted any time and have already leveraged CVE-2023-20198 to compromise thousands of Cisco IOS XE devices, according to a warning from cybersecurity firm VulnCheck.
This zero-day flaw grants attackers the power to gain administrator privileges, effectively enabling them to take control of vulnerable routers. Cisco’s advisory explains that exploitation of this vulnerability allows remote, unauthenticated attackers to create an account on an affected system with privilege level 15 access. Once this account is created, it can be used to assume control of the compromised system.
The vulnerability impacts both physical and virtual devices that are running the Web User Interface (Web UI) feature, especially when the HTTP or HTTPS Server feature is in use.
Cisco recommends that administrators examine system logs for specific log messages containing usernames like “cisco_tac_admin,” “cisco_support,” or any other locally configured users that are unfamiliar to the network. As a precaution, administrators are urged to disable the HTTP server feature on systems exposed to the internet.
Security researchers have been actively tracking the aftermath of these attacks. LeakIX utilized indicators of compromise (IoCs) from Cisco Talos and identified approximately 30,000 Cisco IOS XE devices (routers, switches, VPNs) that had fallen victim to the exploitation of CVE-2023-20198. Most of these compromised devices were located in the United States, the Philippines, Chile, and Mexico. CERT Orange Cyberdefense reported similar findings, with over 34,500 compromised devices using the same IoCs.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
In a startling twist, Cisco’s investigation into these attacks revealed an attempt to hide infections even on systems patched against CVE-2023-20198. This raised suspicions of a second zero-day vulnerability in action. The attackers initially exploited CVE-2023-20198 to gain entry, creating a local user and password combination, which was then used for subsequent logins. This initial access was further exploited using another component of the web UI feature, allowing the attacker to elevate privileges to root and implant malware on the system. This second zero-day was designated CVE-2023-20273.
The severity scores for these vulnerabilities are as follows: CVE-2023-20198 scored a perfect 10.0, while CVE-2023-20273 received a score of 7.2.
The IT giant has now addressed both zero-day vulnerabilities and also provided mitigations for them.
| Cisco IOS XE Software Release Train | First Fixed Release | Available |
|---|---|---|
| 17.9 | 17.9.4a | Yes |
| 17.6 | 17.6.6a | TBD |
| 17.3 | 17.3.8a | TBD |
| 16.12 (Catalyst 3650 and 3850 only) | 16.12.10a | TBD |
Trending: Offensive Security Tool: o365sprayer
Notably, cybersecurity experts observed a decrease in the number of infected devices, largely attributed to attackers’ attempts to conceal their presence. The root cause of the drop in infections was the attackers’ endeavor to obscure their implants, following the exploitation of CVE-2023-20198.
💥💥 #Cisco #CVE #CVE-2023-20198 update: something happened today.
We went down from 40k host with an implant to 1.2k.
We still have roughly the same number of reachable Cisco devices (~60k), but most of them do not show the Talos discovered implant remotely as before. https://t.co/ogetwLLfE6 pic.twitter.com/pWxKRpWr5V
— ONYPHE (@onyphe) October 21, 2023
UPDATE: Improved Cisco IOS XE Web UI CVE-2023-20198 implant detection, after threat actor modified their compromised device config (hat tip to @foxit)
30,487 unique IPs on 2023-10-23
Latest data in tonight's compromised website report. Dashboard stats updated after end of day. pic.twitter.com/7SjqduAaGA
— Shadowserver (@Shadowserver) October 23, 2023
Based on our latest check, 320 implants remaining … Tuesday 10/17: 34 552 ;
Wednesday 10/18: 36 965 ;
Thursday 10/19 4pm CET (cleaning step began): 31 220
Today 10/22 5pm CET: 320#CVE-2023-20198 #CVE-2023-20273 #somethingishappening pic.twitter.com/mh1ugFAfOf— CERT Orange Cyberdefense (@CERTCyberdef) October 22, 2023
As of now, the identities of the threat actors behind these attacks remain undisclosed, adding an extra layer of mystery to this unfolding cybersecurity saga.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: securityaffairs.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
