Critical Cisco IOS vulnerability being actively hacked, no patch available
Take action: Time to wake up your network engineering team and comb through all Cisco routers for version of IOS, disable the WebUI/HTTP server on the internet facing interfaces and check for unknown user accounts. Reboot them if you are suspicious about being compromised to flush malicious payload. Then wait for the patch and apply ASAP.
Learn More
Cisco has issued a warning about a critical zero-day vulnerability, identified as CVE-2023-20198, in its IOS XE Software, which is actively being exploited by threat actors. This vulnerability allows attackers to gain full administrator privileges and take control of affected routers. Here are the key details aggregated from the provided information:
The vulnerability is tracked as CVE-2023-20198 (CVSS3 score 10). This is a maximum severity zero-day vulnerability in Cisco's IOS XE Software. Threat actors have been actively exploiting this vulnerability since at least September 18. At this moment there is no patch, Cisco is actively working on providing a software fix for this vulnerability.
Update - Customers can expect Cisco to roll out the patch on Sunday, Oct. 22. The vendor has also identified a second flaw that hackers have been using to gain root access to Cisco devices for a full takeover, tracked as CVE-2023-20273.
The vulnerability affects both physical and virtual devices running with the Web User Interface (Web UI) feature enabled. Attackers exploit this vulnerability when devices are exposed to the internet or untrusted networks.
Successful exploitation grants attackers full control of the compromised device, allowing for unauthorized activities.
Attackers create a local user account with privilege level 15 access after exploiting the vulnerability. Malicious activity involves creating user accounts with suspicious usernames, such as "cisco_tac_admin." A malicious payload script is deployed to execute arbitrary commands at the system or IOS levels.
Mitigation Measures
Cisco advises disabling the HTTP server feature on internet-facing systems to block incoming attacks.
Organizations should look for unexplained or newly created user accounts as potential indicators of malicious activity.
One approach to detecting the presence of the malicious palyload on compromised Cisco IOS XE devices involves running the following command on the device, where the placeholder "DEVICEIP" represents the IP address under investigation:
curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"
The malicious payload is not persistent and can be removed with a device reboot. The attackers has exploited a medium vulnerability, CVE-2021-1435, in some cases, to deliver the implant.
Cisco has seen IP addresses associated with the attacks: 5.149.249[.]74 and 154.53.56[.]231.
