Cisco's IOS XE software zero-day vulnerability poses a serious problem
Critical vulnerabilities in Cisco IOS XE software and related products have been disclosed, with remote code execution (RCE) and privilege escalation capabilities. These vulnerabilities, including sandbox bypasses and arbitrary file upload flaws, pose a significant threat to affected systems.
Cisco has released security updates to address these issues, but some vulnerabilities remain under active attack, and workarounds are limited or unavailable without patching.
One such vulnerability, CVE-2023-20198, has been added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities Catalog.
Implant Discovered and Deployed
As part of the October activity, an implant was deployed, which includes a configuration file based on the Lua programming language. Researchers from VulnCheck found thousands of implanted hosts after scanning the internet.
The implant was installed by unknown mechanisms on devices that were fully patched against CVE-2021-1435, indicating that the threat actor has a deep understanding of Cisco IOS XE software.
Suspicious Activity and Unauthorized Accounts
A case was opened at Cisco's technical assistance center on Sept. 28 due to suspicious activity on a customer's device. By Oct. 12, an additional cluster of suspicious activity was found when an unauthorized user created an account under the name "cisco_support" from a different suspicious IP address.
This vulnerability allows an attacker to inject arbitrary commands that can be executed as a root user, granting the attacker high-level access to the affected systems.
According to Scott Caveza, staff research engineer at Tenable, an attacker with such high-level access could modify network routing rules, open ports to access controlled servers, and steal data.
The vulnerability affects Cisco IOS XE software if the web UI feature is enabled. The implant has 29 lines of code, which help facilitate the execution of arbitrary commands.
Related activity was traced back to Sept. 18, when an authorized user created a local user account under the name "cisco_tac_admin" from a suspicious IP address.
Cisco's Response and Recommendations
Cisco has released security patches to address the vulnerabilities and strongly recommends applying them immediately. For some flaws, particularly high-severity RCE bugs, no effective workarounds exist besides patching.
Cisco continues to update advisories as new vulnerabilities are discovered. Therefore, the best action for organizations running Cisco IOS XE software is to promptly update to the latest patched software versions provided by Cisco and monitor Cisco security advisories for further updates or mitigations.
- The vulnerability, CVE-2023-20198, has been categorized as a high-severity risk due to its potential for remote code execution and privilege escalation, as noted in general-news media and cybersecurity publications.
- The deployment of an implant, detected by VulnCheck researchers, has raised concerns about cybersecurity, as it exploits a vulnerability in Cisco IOS XE software, allowing attackers unauthorized access to affected systems.
- In order to protect their systems from identified vulnerabilities and potential exploits, organizations running Cisco IOS XE software are advised to prioritize prompt updates to the latest patched software versions, as recommended by Cisco's cybersecurity protocol.
