Cisco’s IOS XE Vulnerability Allows Complete Takeover, actively exploited

Cisco has issued a critical security warning to administrators regarding a severe authentication bypass zero-day vulnerability present in its IOS XE software. This flaw enables unauthenticated attackers to gain full administrator privileges and, troublingly, allows them to take complete control of routers and switches remotely.

This critical vulnerability has been officially tracked as CVE-2023-20198 and is still awaiting a patch. It exclusively affects devices that have the Web User Interface (Web UI) feature enabled, in combination with the HTTP or HTTPS Server feature activated.

Cisco has identified active exploitation of this previously unknown vulnerability in the Web User Interface (Web UI) feature of the Cisco IOS XE software. Notably, this exploitation occurs when these devices are exposed to the internet or untrusted networks.

The successful exploitation of this vulnerability grants malicious actors the capability to create an account on the compromised device, specifically with privilege level 15 access. This effectively provides them with full control over the affected device, potentially leading to unauthorized activities.

The alarm was first raised on September 28, when Cisco’s Technical Assistance Center (TAC) detected unusual behavior on a customer’s device. Further investigation revealed related activities dating back to September 18.

The attackers employed an authorized user to create a local user account with the username “cisco_tac_admin” from a suspicious IP address, 5.149.249[.]74. Later, additional activity linked to CVE-2023-20198 exploitation emerged on October 12, involving the creation of a “cisco_support” local user account from a different suspicious IP address, 154.53.56[.]231. These attackers also deployed a malicious implant to execute arbitrary commands at the system or IOS levels.

Cisco’s analysis suggests that these clusters of activities were likely orchestrated by the same threat actor. The initial cluster may have represented the actor’s initial testing, while the October activity showcased an expansion of their operation, including establishing persistent access through the implant.

To mitigate this threat, Cisco recommends administrators disable the HTTP server feature on internet-facing systems, effectively removing the attack vector and blocking potential attacks.

The company advises customers to utilize commands such as “no ip http server” or “no ip http secure-server” in global configuration mode to disable the HTTP Server feature. Additionally, after disabling this feature, the command “copy running-configuration startup-configuration” should be executed to ensure that the HTTP Server feature does not unexpectedly enable during system reloads.

For those using both the HTTP and HTTPS servers, it’s crucial to implement both commands to disable the HTTP Server feature completely.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link