Update 25/10/2023:

Another actively exploited zero-day has been found and is being used in the wild (CVE-2023-20273). Both exploits are now being used together to gain initial access and create a new local user, then to elevate privileges allowing the new user to have admin privileges on the system.

Links to the new CVE can be found below.

Update 24/10/2023:

The method of identifying compromised devices was updated and the number of compromised devices jumped back up to 38,000.

Patches have been made available by Cisco and should be applied as soon as possible.

Update 23/10/2023:

The number of compromised devices dropped sharply from 50,000 to 100 after Cisco disclosed the existence of the vulnerability as it appears that attackers modified the implant of the exploitation in an attempt to mask their activity.  

Update 20/10/2013:

The number of Cisco devices hacked through exploitation of the zero-day has now reached approximately 40,000, according to multiple sources.

Executive summary

Cisco has published a security advisory warning users of an active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE software, which could allow an unauthenticated attacker to create an account with privileged exec mode enabled, allowing them full control. According to Shodan, there are 40,000 vulnerable devices with this vulnerability exposed online.

What’s the risk to me or my business?

There is a risk that organisations with a vulnerable device with the web UI feature exposed, are leaving themselves open to allowing an attacker full access of their Cisco device, impacting the confidentiality, availability and integrity of their data.

This vulnerability affects all Cisco devices that have the web UI feature enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands. There is no patch currently available but Cisco have stated they are working on a fix. In the meantime as a mitigation Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

What can I do?

Black Arrow recommends following Cisco’s advice and disabling the HTTP server feature. The commands can be found in Cisco’s security advisory which is linked below.

Technical Summary (updated 23/10/2023)

CVE-2023-20273 The vulnerability allows a malicious attacker to use an authenticated user, such as the one CVE-2023-20198 can create, to gain admin privileges to the system.

CVE-2023-20198  The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with the highest privilege. The CVE has been given the maximum severity rating.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Further information can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z#fs

Further information on the number of exploited devices can be found here: https://www.securityweek.com/number-of-cisco-devices-hacked-via-unpatched-vulnerability-increases-to-40000/

#threatadvisory #threatintelligence #cybersecurity