Cisco has released a patch for two zero-day vulnerabilities found in its IOS XE Software, which have been actively exploited by threat actors. The first vulnerability, known as CVE-2023-20198, affects all instances of IOS XE Software with the WebUI feature enabled. It allows remote, unauthenticated attackers to gain control over a target system by creating an account with high-level privileges using a malicious implant containing a configuration file.
Cisco’s security research team, Talos, discovered that the threat actors started using additional techniques to avoid detection on October 19 and 20. They found that some newer versions of the implant include checks for an HTTP Authorization header, primarily to bypass compromise identification using an older version of the curl command provided by Talos. Talos believes that the addition of this header check in the implant led to a sharp decline in the visibility of infected systems. To address this, Cisco updated the curl command in its guidance advisory to help identify implant variants using the HTTP header checks.
Additionally, Talos uncovered another zero-day vulnerability, known as CVE-2023-20273, which allowed threat actors to inject commands with elevated privileges, giving them the ability to run arbitrary commands on the device. This vulnerability is also related to the WebUI feature.
Initially, the only recommended mitigation for these vulnerabilities was to disable the HTTP Server feature on all internet-facing systems. However, Cisco has now released a fix that covers both vulnerabilities. The patch is designed to address the new evasion techniques used by the threat actors.
Although Cisco acknowledged the exploitation of the vulnerabilities in its initial disclosure, researchers soon realized that the scale of exploitation was much larger than initially thought. Security vendor VulnCheck reported that “thousands” of internet-facing Cisco IOS XE systems had been compromised with implants. To help organizations check for implants on their instances, VulnCheck released a scanning tool. Security nonprofit Shadowserver, which regularly scans for vulnerability exploitation, reported detecting 30,487 unique IPs connected to CVE-2023-20198 implants.
When asked to comment on the extent of the exploitation, Cisco declined but issued a statement emphasizing its commitment to transparency and addressing security issues promptly. The vendor urged customers to take immediate action by downloading the available fix to protect their systems.
On October 23, Cisco published an update to its advisory, providing enhanced guidance on detecting the presence of the implant. This update came after the discovery of a new variant that makes it harder to identify compromised systems. Cisco strongly advised customers to follow the provided guidance and install the security fix outlined in its updated advisory and Talos blog.
The release of the patch and the ongoing efforts to provide guidance and fix these vulnerabilities demonstrate Cisco’s commitment to addressing security issues promptly and ensuring the safety of its customers. It is crucial for organizations using IOS XE Software to take immediate action and implement the necessary measures to protect their systems from exploitation.