Cisco warns customers about critical zero-day in iOS XE software

Spread the love

Cisco is warning customers about an actively exploited vulnerability in its iOS XE software. The vulnerability allows hackers to gain admin rights to devices, allowing them to completely take over affected routers and switches.

According to Cisco, the vulnerability concerns a privilege escalation bug in Cisco IOS XE. The critical vulnerability, which is rated a CVSS severity score of 10 out of 10, only affects devices that use the IOS XE web UI in combination with the HTTP or Https Server features. The vulnerability is already being exploited, Cisco says. The bug can be tracked below CVE-2023-20198. The bug was discovered on September 28 after reports of ‘strange activity’ on a customer’s device. According to Cisco, the vulnerability has been actively exploited by an unknown threat actor since at least September 18.

The vulnerability allows remote attackers to create an admin account with ‘privilege level 15’ access. That is the highest level of access for Cisco equipment, giving users full control over a router or switch. The attacker can then create a local account. In ‘most cases’ an implant was then placed with which arbitrary code could be executed. That implant is removed during a system reboot, but the local account continues to work afterwards and so the implant can be reinstalled. It is placed in usr/binos/conf/nginx-conf/cisco_service.conf and consists of two strings of code.

Attackers can exploit the vulnerability to take over Cisco IOS XE devices that are exposed to the Internet and use the HTTP Server and Https Server features. Attackers appear to be exploiting the vulnerability using a previous vulnerability: CVE-2021-1435. It will be fully patched in 2021. However, Cisco’s Talos security team says it has also seen fully patched devices that were still taken over. This is done in a ‘not yet determined’ manner.

Cisco users are advised to scan their network for “signs of compromise.” The easiest way is to search for unknown, newly created users on their devices. Users are also recommended to disable the HTTP Server and Https Server features on devices exposed to the Internet. Company published a blog post with instructions for determining contamination and further recommendations.

Code of the implant. Source: Cisco Talos

You might also like
Exit mobile version