Cisco Systems Inc [3]. has recently disclosed a critical vulnerability, known as CVE-2023-20198 [1] [3] [4] [6], in its IOS XE software [1] [2]. This vulnerability is actively being exploited by threat actors and poses a significant risk to switches and routers running IOS XE with the web interface exposed to the internet.
Description
The vulnerability allows for privilege escalation without authentication [8], potentially granting full control of the compromised device [7] [8]. Cisco has assigned a CVSS severity score of 10, indicating the highest possible level of severity. Cisco Talos [2] [3] [4] [6] [7] [9], the security intelligence and research group, first detected attacks on September 18 and observed additional activity on October 12 [3].
To protect against this vulnerability [4], Cisco advises customers to disable the HTTP Server feature on all internet-facing IOS XE devices [3] [4]. Detailed instructions on how to disable the feature [5], along with indicators of compromise and Snort rules [5], are provided in a security advisory [5] [7]. It is crucial to save the running-configuration after disabling the feature to prevent unexpected re-enabling upon system reload [5]. Unfortunately, there is currently no patch available for this vulnerability [4]. However, Cisco is actively working on addressing the issue and has observed active exploitation [8].
This vulnerability has widespread impact [8], potentially affecting any switch [8], router [8], or Wireless LAN Controller running IOS XE with the web UI exposed to the internet [8]. It is particularly of interest to nation-state actors focused on espionage [8], as it provides an ideal tool for manipulating network traffic [8].
To mitigate the risk, users and administrators are strongly urged to review the advisory [9], implement the recommended measures, monitor for any malicious activity [9], and promptly report any findings to CISA (Cybersecurity and Infrastructure Security Agency). The recommendation to disable the HTTP server feature aligns with best practices and guidance from the U.S. government on mitigating risk from internet-exposed management interfaces [7]. Additionally, experts recommend implementing an automated and effective patching solution to address the vulnerability [3].
Conclusion
The disclosed vulnerability in Cisco’s IOS XE software poses a critical threat to switches and routers with the web interface exposed to the internet. It allows for privilege escalation without authentication [8], potentially granting full control of compromised devices [7] [8]. While a patch is not currently available, Cisco is actively working on addressing the issue [8]. In the meantime, disabling the HTTP Server feature and implementing recommended measures are crucial steps to mitigate the risk. This vulnerability has widespread impact and is particularly attractive to nation-state actors focused on espionage. It is essential for users and administrators to stay vigilant, monitor for any malicious activity [9], and promptly report any findings to CISA. Implementing an automated and effective patching solution is also recommended to address the vulnerability and enhance overall security.
References
[1] https://www.tenable.com/blog/cve-2023-20198-zero-day-vulnerability-in-cisco-ios-xe-exploited-in-the-wild
[2] https://www.techtarget.com/searchsecurity/news/366555575/Cisco-working-on-fix-for-critical-IOS-XE-zero-day
[3] https://siliconangle.com/2023/10/16/cisco-warns-customers-actively-exploited-critical-vulnerability-ios-xe-devices/
[4] https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit
[5] https://www.helpnetsecurity.com/2023/10/16/cve-2023-20198/
[6] https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/
[7] https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
[8] https://www.crn.com/news/security/cisco-ios-xe-vulnerability-here-s-what-to-know
[9] https://www.cisa.gov/news-events/alerts/2023/10/16/cisco-releases-security-advisory-ios-xe-software-web-ui