| Product and Affected Versions: Product: Cisco IOS XE software Affected Versions: The vulnerability affects both physical and virtual devices running Cisco IOS XE software with the HTTP or HTTPS server feature enabled. |
| Severity and CVE ID: CVE ID: CVE-2023-20198 Severity: The vulnerability is rated with a severity score of 10 |
| Vulnerability: – The zero-day vulnerability is rooted in the web UI feature of Cisco IOS XE software. – It affects systems with the Web UI feature enabled, exposed to the internet, or untrusted networks. – It allows a remote, unauthenticated attacker to create a user account on the affected system with privilege level 15 access |
| How the Attack Works: – The attack involves unauthorized users creating local user accounts on affected systems. – Cisco observed unusual activity on an unidentified customer device starting from September 18, 2023, in which an authorized user created a local user account named “cisco_tac_admin” from a suspicious IP address. – This was followed by a separate incident on October 12, 2023, where an unauthorized user created a local user account named “cisco_support” from a different IP address. – The attack further involves deploying a Lua-based implant that allows the actor to execute arbitrary commands at the system or IOS level. – The implant is activated by exploiting CVE-2021-1435, a previously patched vulnerability in the web UI of Cisco IOS XE Software. – For the implant to become active, the web server must be restarted; in some cases, the server was not restarted, preventing the implant from becoming active. |
| Remediations: – Cisco recommends disabling the HTTP server feature on internet-facing systems as a mitigation measure. – It is essential to apply security patches and updates as soon as they become available to address this vulnerability. – Organizations should review their systems for any signs of unauthorized user accounts or unusual activity. – The backdoor created by the attacker is not persistent and will not survive a device reboot. However, the rogue privileged accounts remain active. |
| Reference: Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/publicationListing.x |
