CVE-2023-20198
Overview: A critical patch for Cisco IOS XE devices has been issued. Over 40k+ known exploited Cisco devices discovered.
Threat Name: CVE-2023-20198
Risk Factor: Critical
Date: 24th Oct 2023
Get Help Now
Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis
What We Know About The Attack.
Cisco has announced that a known zero-day CVE-2023-20198 is currently being exploited. This vulnerability has the highest CVSS score of 10. It is a privilege escalation vulnerability allowing an unauthenticated attacker to create a high privilege account on the affected system.
During the known attack Cisco has observed the use of another vulnerability CVE-2023-20273. This CVE allows a remote authenticated attacker to inject arbitrary commands as the root user. Detected implants placed on affected devices plummeted at the weekend. This was likely caused by the threat actors modifying the implant to evade detection.
The threat actor’s intentions are unknown. It is currently believed that over 40K devices have implants. (24/10/23)
Which Organisations Are Affected By This Attack?
Any organisations using Cisco IOS XE devices. The following question to address pertains to the configuration of your server:
Is it set up with either HTTP or HTTPS management? If it is configured this way and remains unpatched, there is potential for exploitation.
Do you operate any services that rely on HTTP or HTTPS communication, such as eWLC? If the answer is no, it is advisable to deactivate the HTTP Server feature. However, if the answer is yes, consider limiting access to those services to trusted networks, if feasible.
Solace Cyber Recommendations
To ensure that your systems have not been compromised, it is essential to follow these steps:
- Check for Compromise: Refer to Cisco’s guidance, where they have released a specific curl command to assist in the verification process. This command will help you assess if there are any malicious artifacts present on the Cisco devices that are linked to this activity.
- Disable the HTTP Server Feature or Limit its Access: On all devices that are exposed to the internet, it is highly recommended to disable the HTTP server feature. This will eliminate a potential attack vector and reduce the risk of unauthorised access through this avenue. By doing so, you are taking proactive steps to enhance the security of your network infrastructure. A1lternatively make this only accessible to trusted IP addresses.
- Patch Your Cisco IOS XE Devices: It is of utmost importance to apply the latest security patches to your Cisco IOS XE devices without delay. Timely patching is a critical aspect of maintaining a secure network environment. By keeping your devices up to date with the latest security updates, you are fortifying your infrastructure against known vulnerabilities and reducing the likelihood of exploitation by malicious actors.
In summary, following these steps diligently will help you mitigate the risks associated with the disclosed vulnerabilities, maintain the security of your network, and protect your systems and data from potential threats.
Need support?
Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis.