Headline
Cisco IOS XE vulnerability widely exploited in the wild
Categories: Exploits and vulnerabilities Categories: News Tags: Cisco
Tags: IOS X
Tags: remote management
Tags: vulnerability
Tags: CVE-2023-20198
Tags: webUI
Tags: http server
Tags: http secure-server
Researchers have found that a recently disclosed vulnerability in Cisco IOS XE has already rendered thousands of compromised devices.
(Read more…)
The post Cisco IOS XE vulnerability widely exploited in the wild appeared first on Malwarebytes Labs.
An authentication bypass affecting Cisco IOS X was disclosed on October 16, 2023. Researchers have found since then that the vulnerability is widely being exploited in the wild to help install implants on affected switches and routers.
Cisco IOS XE is a universally deployed Internetworking Operating System (IOS) that enables model-driven programmability, application hosting, and configuration management, helping to automate day-to-day tasks.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The vulnerability at hand is listed as:
CVE-2023-20198 (CVSS score 10 out of 10: Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
What Cisco failed to mention was that thousands of internet-facing IOS XE systems have been implanted. The researchers scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts.
Cisco has also yet to publish a list of affected devices, but if you are using Cisco switches, routers or Wireless LAN Controllers, you should assume they are vulnerable.
The implants that were found enable the attacker to communicate with the compromised device and use that ability to monitor web traffic, perform lateral movement in the network, or use them for a machine-in-the-middle attack.
The Cisco Talos team discovered there were malicious activities correlated with this vulnerability as early as September 18, 2023.
Mitigation
This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.
To determine whether the HTTP Server feature is enabled for a system, log in to the system and use the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present, the HTTP Server feature is enabled for the system.
Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
While a patch is not yet available, it is advisable to protect your organization by disabling the web interface and removing all management interfaces from the internet immediately. Which is always good advice.
The Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog, based on the evidence of active exploitation. This means all Federal Civilian Executive Branch Agencies (FCEB) have to verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 (Mitigating the Risk from Internet-Exposed Management Interfaces) and apply mitigations per Cisco’s instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), organizations must follow Cisco’s instructions to determine if a system may have been compromised and immediately report positive findings to CISA before October 20,2023.
Organizations should look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat. One method to identify if the implant is present is to run the following command against the device, where the "{DEVICEIP}” portion is a placeholder for the IP address of the device to check:
curl -k -X POST “https://{DEVICEIP}/webui/logoutconfirm.html?logon_hash=1”
Note: The above check should use the HTTP scheme if the device is only configured for an insecure web interface. If the request returns a hexadecimal string, the implant is present.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.
Related news
This Metasploit module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f...
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices
A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.
Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices. Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 as part of an exploit chain. "The attacker first
A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.
By Deeba Ahmed It is unclear how long Cisco will take to release a patch. This is a post from HackRead.com Read the original post: Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices
Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
Just a day after Cisco disclosed CVE-2023-20198, it remains unpatched, and one vendor says a Shodan scan shows at least 10,000 Cisco devices with an implant for arbitrary code execution on them. The vendor meanwhile has updated the advisory with more mitigation steps.
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have
By Waqas Another day, another critical vulnerability hits Cisco! This is a post from HackRead.com Read the original post: New Cisco Web UI Vulnerability Exploited by Attackers
No patch or workaround is currently available for the maximum severity flaw, which allows attackers to gain complete administrator privilege on affected devices remotely and without authentication.
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory Cisco will provide updates on the status of this investigation and when a software patch is available.
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.