Thousands of IOS XE devices still infected, Cisco advises customers to apply patches immediately
Critical and High-Severity Vulnerabilities in Cisco IOS XE Software Require Urgent Attention
A security alert has been issued for two vulnerabilities, CVE-2023-20198 and CVE-2023-20273, in Cisco IOS XE software. This software is widely used in enterprise switches, wireless controllers, aggregation routers, and access points.
CVE-2023-20198 is a critical vulnerability that allows an attacker to gain initial access and write a local user name and password through privilege 15 commands. It is related to an SNMPv3 configuration restriction vulnerability in Cisco IOS and IOS XE Software.
On the other hand, CVE-2023-20273 is a high-severity vulnerability that allows an attacker to escalate privileges and write malicious implants to the file system.
Recent reports suggest that an unidentified threat actor has been exploiting these vulnerabilities in the web user interface, infecting tens of thousands of devices with a malicious backdoor. CVE-2023-20273 has been added to the Known Exploited Vulnerabilities catalog by the Cybersecurity and Infrastructure Security Agency.
Patching is the Primary Mitigation
Cisco has released patched IOS XE software versions, including fixes for SNMPv3-related vulnerabilities like CVE-2023-20198. The latest stable IOS XE versions listing this CVE are 17.15.1 and 17.17.1. The general recommended action is to immediately update affected Cisco IOS XE devices to the latest Cisco-recommended software version that includes patches for these vulnerabilities.
Detection of Compromise
Detecting if a device is compromised by these vulnerabilities typically involves checking intrusion detection system (IDS) or security information and event management (SIEM) logs for unusual commands or accesses exploiting SNMP or IOS XE services. Verifying if the device is running an unpatched IOS XE version listed as vulnerable by Cisco, and reviewing device behavior for unexplained crashes, high CPU utilization, or network anomalies triggered by exploit activities are also important steps.
Cisco and some third-party vulnerability management tools can scan network devices to identify if they run vulnerable IOS XE versions, aiding in risk assessment.
Stay Informed and Vigilant
Since there are no specific public details on CVE-2023-20273, regularly checking Cisco advisories is essential. The Cisco Talos blog now includes a curl command to confirm the presence of implants on a device. Researchers at Fox-IT temporarily could not detect the presence of the implants over the weekend. Cisco Talos researchers issued enhanced detection guidance on Monday.
In summary, patching affected Cisco IOS XE devices with the latest recommended software versions is the primary mitigation for CVE-2023-20198 and likely for CVE-2023-20273. Detection relies on security monitoring and ensuring devices are not running vulnerable releases.
In the current cybersecurity landscape, it's crucial to prioritize the use of technology to address the vulnerabilities in Cisco IOS XE software. The recent discovery of CVE-2023-20198 and CVE-2023-20273 emphasizes the need for enhanced cybersecurity measures, as these vulnerabilities, if exploited, could lead to significant security breaches.
