The Zero-Day Revelation
On October 16, Cisco’s Talos issued a stern warning about a zero-day vulnerability lurking in the Web User Interface (Web UI) feature of Cisco IOS XE. This vulnerability had already been exploited by malicious actors.
Uncovering the Threat
The alert came after a support case investigation on September 28 revealed the creation of a suspicious user account on September 18. Further investigation on October 12 showed the creation of a user account and the uploading of a configuration file to maintain persistent access. This paints a disturbing picture of the breach’s depth.
Analysis of CVE-2023-20198
This privilege escalation vulnerability, known as CVE-2023-20198, has earned the highest CVSS score of 10. Its successful exploitation can result in the creation of a user account with full administrative privileges, giving attackers full control. But where does this vulnerability hide?
The Unexpected Twist
Malicious actors weren’t content with just CVE-2023-20198. They also leveraged CVE-2021-1435, an older vulnerability, to install an implant. This vulnerability allowed them to execute arbitrary code as the root user. What’s surprising is that even fully patched devices were not safe. How did the attackers manage this?
For a comprehensive understanding of the observed implant, Cisco Talos has released an illuminating blog post. For those seeking more details about the compromised devices, this is a valuable resource.
As of October 16, no proof-of-concept code for CVE-2023-20198 has been made public.
The Path to Security
In the absence of patches, Cisco recommends disabling the HTTP Server feature on internet-facing Cisco IOS XE systems. Learn how to disable the feature and prevent reactivation after system reload in the official advisory.
Both Cisco Talos’ blog and the Cisco security advisory offer indicators of compromise to aid in incident response investigations.