Cisco has announced that it will release a patch on October 22 to address a critical zero-day vulnerability in its IOS XE software [8]. In addition, Cisco has disclosed another previously unknown flaw that has also been exploited in attacks [8]. This improved text provides a detailed description of the vulnerabilities and their impact, as well as mitigation measures that organizations can take. It concludes with the current status of the vulnerabilities and the number of compromised devices.

Description

On October 16th, 2023 [6], Cisco published a security advisory regarding two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273 [4] [9], found in the web UI feature of its IOS XE devices. The first vulnerability, CVE-2023-20198 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], allows unauthenticated attackers to create an account with privileged access on vulnerable devices [6]. This flaw is actively being exploited [6], with the first bug used for initial access and the second for privilege escalation [3]. It has already been exploited to compromise over 10,000 Cisco devices [3]. The severity rating of CVE-2023-20198 is 10 out of 10, and Cisco has assigned a CVSS Score of 10.0 to it. While there is no available patch yet [6], organizations can take mitigation measures such as disabling the HTTP Server feature or limiting access to trusted networks [6]. It is also advised to check for unknown user accounts and the presence of an implant, as adversaries deploy backdoors for arbitrary code execution [6]. Cisco plans to release patches for these vulnerabilities on October 22. The second vulnerability, CVE-2023-20273 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], is still pending a fix. It is unclear why there has been a sudden reduction in the number of internet-facing Cisco devices with the malicious implant [4], but theories suggest a coordinated action by the attackers or law enforcement [4]. Organizations are urged to investigate their devices to ensure they have not been compromised [4].

Conclusion

The impact of these zero-day vulnerabilities is significant, with over 10,000 Cisco devices already compromised. However, the number of compromised devices is now declining as administrators take necessary measures [8]. Cisco’s upcoming patch will address both vulnerabilities, providing a solution to the ongoing attacks. It is crucial for organizations to implement mitigation measures and investigate their devices to prevent further compromise. The disclosure of the attack chain used by threat actors highlights the importance of addressing vulnerabilities promptly and thoroughly. Moving forward, it is essential for organizations to stay vigilant and keep their systems up to date to protect against future threats.

References

[1] https://www.itpro.com/security/cisco-zero-day-vulnerability-hits-40000-devices-in-a-matter-of-days
[2] https://www.upguard.com/blog/cisco-cve-2023
[3] https://www.darkreading.com/application-security/cisco-zero-day-bug-patches-in-days
[4] https://www.helpnetsecurity.com/2023/10/23/disappearing-implants-cve-2023-20198-fixes/
[5] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
[6] https://www.picussecurity.com/resource/blog/cve-2023-20198-actively-exploited-cisco-ios-xe-zero-day-vulnerability
[7] https://cybersecuritynews.com/50k-cisco-ios-devices-hacked/
[8] https://www.crn.com/news/security/cisco-sets-imminent-date-for-ios-xe-patch
[9] https://securityonline.info/cve-2023-20273-cisco-ios-xe-zero-day-vulnerability/
[10] https://thehackernews.com/2023/10/cisco-zero-day-exploited-to-implant.html