This article was co-written by Sofia Liemann Escobar.
On 16 October 2023, Cisco disclosed critical level zero-day software vulnerability CVE-2023-20198. More than 40,000 hosts are believed to have been infected, with Cisco recognising that the vulnerability has been exploited in the wild.
The vulnerability affects Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI). This is an operating system that runs on several Cisco products including switches, routers, access points, and wireless controllers.
A successful exploitation of CVE-2023-20198 allows an unauthenticated attacker to create an account on the affected system with level 15 access, the highest privilege level. With such access, attackers can collect configuration information, create additional admin accounts, and leverage other vulnerabilities to gain control of the affected system. The vulnerability has been given a CVSS rating of 10.0, indicating the criticality and severity of the threat it poses to organisations if left unpatched.
A second zero-day vulnerability, disclosed a few days later, is also being exploited by malicious actors: CVE-2023-20273. Exploiting this second vulnerability enables remote authenticated attackers to inject arbitrary commands to the root user. Cisco disclosed that the vulnerability was being used to elevate privileges after exploiting CV-2023-20198.
Though recommendations have been issued to mitigate attacks and initial fixes have been released by Cisco, the vulnerability continues to be exploited. On 19 October, Internet Intelligence Platform, Censys, reported that 36,541 Cisco devices have been compromised. Given the widespread use of Cisco products, government entities and business entities of all sizes are still at high risk if mitigation steps are not taken.
Warnings of Cisco’s vulnerabilities have now been issued by multiple cyber security authorities such as CISA in the U.S., NCSC in the UK, and the Canadian Centre for Cyber Security. Norway’s National Security authority has also cautioned that the exploitation of this vulnerability has compromised several ‘important businesses’ within its private sector.
These vulnerabilities follow a series of disclosures from Cisco over the past few weeks and months. In September, Cisco released an advisory on CVE-2023-20109 - a medium-severity flaw that appears to have been exploited in the wild, affecting the Cisco Group Encrypted Transport VPN feature of IOS and IOS XE. Exploiting the vulnerability allows hackers to take actions on infected systems or cause devices to crash. Cisco has now released a patch to address this vulnerability.
At the end of September 2023, cyber security authorities in the US and Japan also issued an advisory on ‘BlackTech’. A sophisticated hacking group believed to be linked to the People’s Republic of China that has been exploiting routers when attacking a variety of organisations. Cisco routers, amongst others, appear to have been compromised in several instances.
What should your organisation do if impacted?
Cisco products are widely used across a range of organisations, including a large percentage of our client base. Immediate action should be taken to first identify if you are impacted by the zero-day vulnerability, before prioritising the implementation of the recommended steps set out by Cisco and other cyber security authorities to close the attack vector and mitigate the materialisation of any further attacks. This should be classified as critical internally and engage the relevant stakeholders in IT to ensure timely response.
Organisations can begin patching as initial fixes have now been released by Cisco to address both vulnerabilities. Additional fixes are expected to be released in coming weeks.
Further steps have been recommended by Cisco that can be taken to reduce the impact of a successful attack or the likelihood of lateral movement within the network. This includes disabling the HTTP server feature on internet-facing systems and applying the principle of least privilege to all systems and services.
Finally, Cisco Talos have provided some indicators of compromise to assist any organisation going through incident response investigations. We will continue to monitor developments around this story and support any impacted clients. In the meantime, it is crucial for Cisco users to install the security fix outlined in Cisco’s updated security advisory.