Headline
Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised
Just a day after Cisco disclosed CVE-2023-20198, it remains unpatched, and one vendor says a Shodan scan shows at least 10,000 Cisco devices with an implant for arbitrary code execution on them. The vendor meanwhile has updated the advisory with more mitigation steps.
A threat actor has already infected thousands of Internet exposed Cisco IOS XE devices with an implant for arbitrary code execution via an as-yet-unpatched maximum severity vulnerability in the operating system.
Cisco disclosed the flaw, identified as CVE-2023-20198, on Oct. 17, with a warning about exploit activity in the wild targeting the flaw. The bug, which has a severity rating of 10 out of 10 on the CVSS vulnerability-severity scale, is present in the Web UI component of IOS XE.
The company said it had observed an attacker using the vulnerability to gain administrator level privileges on IOS XE devices, and then, in an apparent patch bypass, abusing an older remote code execution (RCE) flaw from 2021 (CVE-2021-1435) to drop a Lua-language implant on affected systems.
Now, those attacks appear to have a global footprint.
Unpatched Bug Leads to 10K Infected Cisco Systems
Cisco’s security advisory noted that the company had responded to reports of unusual activity tied to the flaw from multiple customers. But the actual scope of the infections appears to be a lot higher than what was apparent from the advisory.
Jacob Baines, CTO at VulnCheck says his company has fingerprinted at least 10,000 Cisco IOS XE systems with the implant on them — and that’s from scanning just half of the affected devices that are visible on search engines such as Shodan and Censys.
“From what we can tell, it doesn’t not appear to be localized,” Baines says. “The IPs geolocate to a wide number of countries all over the globe.”
Baines says it’s somewhat difficult to determine if the attacks are opportunistic or targeted. On the one hand, opportunistic attacks often involve threat actors using publicly available or researcher-developed proof-of-concept (PoC) exploits.
But that’s not what has happened with the activity targeted at CVE-2023-20198 so far, he says. “Not only did the attackers allegedly use a zero day — and perhaps a second patch bypass — but they also deployed a custom implant. That isn’t opportunistic.”
Yet at the same time, the sheer number of exploited systems suggests more of an indiscriminate approach, Baines says.
Cisco Pwning Likely From a Single Threat Actor
The fact that the compromised Cisco IOS XE systems all have the same implant suggests that one threat actor is behind the attacks. “Because the initial auth-bypass vulnerability was — and still is unpatched —finding vulnerable targets is as simple as a Shodan query,” Baines adds. Because Cisco has not made details of the vulnerability public yet, it is to ascertain how easy or not CVE-2023-20198 is to exploit, he notes.
Researchers at Detectify too on Oct. 17 reported observing what appears to be Internet-wide exploit activity targeting the Cisco zero-day vulnerability. But they believe the threat actor behind it is opportunistically hitting every affected system they can find. “The attackers seem to be casting a wide net by attempting to exploit systems without a specific target in mind first,” one researcher from the firm says. The approach appears to be to “exploit everything first and then determine what is interesting.” Detectify’s researchers shared Baines’ assessment about affected systems being trivially easy to find via search engines like Shodan.
Detectify’s team only verified a relatively limited number of systems as being infected while building a test for detecting the implant for customers, the researcher says. But it is conceivable that thousands of systems have the implant, the researcher adds.
Access Lists Are Effective Mitigation
Cisco has not yet released a patch for the zero-day threat. But the company has recommended that organizations with affected systems immediately disable the HTTPS Server feature on Internet-facing IOS XE devices. On Oct. 17, Cisco updated its advisory to note that controlling access to the HTTPS Server feature using access lists, works as well.
“We assess with high confidence, based on further understanding of the exploit, that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation,” Cisco said. When implementing access controls for these services, organization need to be cognizant of what they are doing because of the potential for interruption of production services, the company cautioned.
Cisco did not respond to a Dark Reading question about the reports about thousands of systems having the implant via the new zero-day bug. But in an emailed statement the company said it is “working non-stop” to provide a software fix. In the meantime, customers should immediately implement the steps outlined in the security advisory, the statement reiterated.
“Cisco has nothing more to share at this time but will provide an update on the status of our investigation through the security advisory. Please refer to the security advisory and Talos blog for additional details.”
Related news
This Metasploit module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f...
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices
A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.
Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices. Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 as part of an exploit chain. "The attacker first
A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.
A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.
By Deeba Ahmed It is unclear how long Cisco will take to release a patch. This is a post from HackRead.com Read the original post: Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices
By Deeba Ahmed It is unclear how long Cisco will take to release a patch. This is a post from HackRead.com Read the original post: Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices
Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
Categories: Exploits and vulnerabilities Categories: News Tags: Cisco Tags: IOS X Tags: remote management Tags: vulnerability Tags: CVE-2023-20198 Tags: webUI Tags: http server Tags: http secure-server Researchers have found that a recently disclosed vulnerability in Cisco IOS XE has already rendered thousands of compromised devices. (Read more...) The post Cisco IOS XE vulnerability widely exploited in the wild appeared first on Malwarebytes Labs.
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have
By Waqas Another day, another critical vulnerability hits Cisco! This is a post from HackRead.com Read the original post: New Cisco Web UI Vulnerability Exploited by Attackers
No patch or workaround is currently available for the maximum severity flaw, which allows attackers to gain complete administrator privilege on affected devices remotely and without authentication.
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory Cisco will provide updates on the status of this investigation and when a software patch is available.
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.