We recommend patching Cisco devices utilizing the Cisco IOS XE Software Web interface.
See all patching information here: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html
Cisco has disclosed a critical zero-day vulnerability in its Cisco IOS XE, impacting many of its switches and routers.
In a statement released last October 16, Cisco disclosed that it has seen “active exploitation” by attackers through this vulnerability, which has received the maximum severity rating of 10.0 out of 10.0 from Cisco.
Excerpts from CRN provide additional details about this vulnerability:
The previously unknown vulnerability impacts the web user interface (UI) capability in IOS XE, a widely used Cisco networking software platform, “when exposed to the internet or to untrusted networks.”
The critical vulnerability can enable escalation of privileges by a remote user without authentication, Cisco said.
Exploitation of the vulnerability—which is tracked as CVE-2023-20198—can allow a malicious actor “to create an account on the affected device with privilege level 15 access,” Cisco’s Talos threat intelligence team said in a blog post. Doing so equates to “effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity,” the Talos blog said.
Furthermore, CRN also reported:
The Cisco Talos team said that it discovered initial evidence pointing to malicious activity on Sept. 28. “Upon further investigation, we observed what we have determined to be related activity as early as Sept. 18,” the Talos team said in its post.
Cisco has not provided the list of devices affected — meaning that any switch, router or WLC (Wireless LAN Controller) that’s running IOS XE and has the web UI exposed to the internet is vulnerable, said Mayuresh Dani, manager of threat research at cybersecurity firm Qualys, in an email to CRN.
Based on research using the Shodan search engine, there are about 40,000 Cisco devices that have web UI exposed to the internet, Dani said.
Notably, network devices have long been a sought-after target for nation-state actors focused on espionage, said John Bambenek, principal threat hunter at security analytics firm Netenrich, in an email to CRN.
This vulnerability gives such attackers an ideal tool to manipulate network traffic in a subtle fashion, Bambenek said.
To date, a patch has yet to be released but Cisco stated that addressing the issue is a “matter of top priority”:
“We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory,” Cisco said in a statement provided to CRN Monday. “Cisco will provide an update on the status of our investigation through the security advisory.”
In the meantime, Cisco advises the following steps to be taken:
Cisco (is) “strongly” recommending that customers disable the HTTP Server feature for all of its internet-facing systems.
Organizations should utilize the time they have until a patch is issued to make sure they have an automated, effective patching system in place, said John Gallagher, vice president of Viakoo Labs at IoT security firm Viakoo.
If you should have any questions or need assistance in any way, please feel free to contact us. We'd be happy to help. Whether that assistance is a security sounding board providing extra sets of hands to facilitate preventive measures or implementing the patch as soon as it is released.