News

Cisco warns customers about critical zero-day in iOS XE software

By admin
Spread the love

Cisco is warning customers about an actively exploited vulnerability in its iOS XE software. The vulnerability allows hackers to gain admin rights to devices, allowing them to completely take over affected routers and switches.

According to Cisco, the vulnerability concerns a privilege escalation bug in Cisco IOS XE. The critical vulnerability, which is rated a CVSS severity score of 10 out of 10, only affects devices that use the IOS XE web UI in combination with the HTTP or Https Server features. The vulnerability is already being exploited, Cisco says. The bug can be tracked below CVE-2023-20198. The bug was discovered on September 28 after reports of ‘strange activity’ on a customer’s device. According to Cisco, the vulnerability has been actively exploited by an unknown threat actor since at least September 18.

The vulnerability allows remote attackers to create an admin account with ‘privilege level 15’ access. That is the highest level of access for Cisco equipment, giving users full control over a router or switch. The attacker can then create a local account. In ‘most cases’ an implant was then placed with which arbitrary code could be executed. That implant is removed during a system reboot, but the local account continues to work afterwards and so the implant can be reinstalled. It is placed in usr/binos/conf/nginx-conf/cisco_service.conf and consists of two strings of code.

Attackers can exploit the vulnerability to take over Cisco IOS XE devices that are exposed to the Internet and use the HTTP Server and Https Server features. Attackers appear to be exploiting the vulnerability using a previous vulnerability: CVE-2021-1435. It will be fully patched in 2021. However, Cisco’s Talos security team says it has also seen fully patched devices that were still taken over. This is done in a ‘not yet determined’ manner.

Cisco users are advised to scan their network for “signs of compromise.” The easiest way is to search for unknown, newly created users on their devices. Users are also recommended to disable the HTTP Server and Https Server features on devices exposed to the Internet. Company published a blog post with instructions for determining contamination and further recommendations.

Code of the implant. Source: Cisco Talos

You might also like
Extensions & Addns

ShortcutKey2URL for Chrome . Extension

News

Water collection from the air using a portable system

Review

AMD X870 Motherboards Review- ASUS, ASRock and MSI present line-ups

Review

New eras for old favorite – Civilization VII Review

Review

Waterproof range for your garden – TP-Link Deco X50-Outdoor Quick Test

Downloads

Download Office 365 Offline Installer ISO / IMG