Cisco IOS XE instances still under attack, patch now

Cisco published a patch over the weekend for a pair of IOS XE zero-day vulnerabilities that have been involved in significant exploitation activity at the hands of threat actors.

Cisco on Oct. 16 disclosed CVE-2023-20198, a zero-day vulnerability affecting all instances of its IOS XE Software that have the WebUI feature enabled. If exploited, the flaw enables a remote, unauthenticated threat actor to create gain control over a target system by creating an account with high-level privileges. This is accomplished in part via a malicious implant containing a configuration file.

Cisco Talos noted in its advisory that on Oct. 19 and 20, threat actors began using additional techniques to avoid evasion. Some newer versions of the implant include checks for an HTTP Authorization header.

"This header check is primarily used to thwart compromise identification using a previous version of the curl command provided by Talos," Cisco Talos wrote. "Based on the information assessed to date, we believe the addition of the header check in the implant likely resulted in a recent sharp decline in visibility of public-facing infected systems. We have updated the curl command listed under our guidance advisory to help enable identification of implant variants employing the HTTP header checks."

Cisco Talos also discovered threat actors were exploiting a second, previously unknown zero-day vulnerability to conduct their attacks. CVE-2023-20273 is a bug involving another component of the WebUI feature that enables a threat actor "to inject commands with elevated (root) privileges, giving them the ability to run arbitrary commands on the device," the advisory read.

Initially, the only mitigation available in Cisco's advisory was to disable the HTTP Server feature on all internet-facing systems. But on Sunday the networking giant published a fix that began rolling out to customers. The patch covers both flaws, and a Cisco spokesperson told TechTarget Editorial that the fix addresses the new evasion techniques.

Though the networking giant noted in the initial disclosure that the vulnerability had faced exploitation, researchers discovered soon after that said exploitation occurred at a massive scale. Security vendor VulnCheck reported that "thousands" of internet-facing Cisco IOS XE systems had been compromised with implants. The vendor released a scanning tool to enable organizations to check for implants on their instances. Security nonprofit Shadowserver, which regularly scans for vulnerability exploitation, said Monday that it detected 30,487 unique IPs connected to CVE-2023-20198 implants.

UPDATE: Improved Cisco IOS XE Web UI CVE-2023-20198 implant detection, after threat actor modified their compromised device config (hat tip to @foxit)

30,487 unique IPs on 2023-10-23

Latest data in tonight's compromised website report. Dashboard stats updated after end of day. pic.twitter.com/7SjqduAaGA

— Shadowserver (@Shadowserver) October 23, 2023

TechTarget Editorial asked Cisco whether the vendor had any response to, or could confirm, the amount of exploitation seen in the wild, but the vendor declined to comment. However, a spokesperson for the vendor shared the following statement:

Cisco is committed to transparency. When critical security issues arise, we handle them as a matter of top priority, so our customers understand the issues and know how to address them. Beginning on October 16, Cisco issued and has continued to update a security advisory on previously unknown vulnerabilities in the Web User Interface feature of Cisco IOS XE Software when exposed to the internet or untrusted networks. We continue to strongly urge customers to take immediate action including downloading the available fix to keep them safe.

On October 23, Cisco published an update to this advisory announcing new enhanced guidance to detect the presence of the implant after uncovering a new variant that hinders identification of compromised systems. We strongly urge customers to implement the guidance and install the security fix outlined in Cisco's updated security advisory and Talos blog.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.