Facepalm: The Cisco ecosystem is facing yet another severe security vulnerability. This 0-day flaw has been actively exploited for several weeks, so it's crucial for customers and system administrators to take immediate action. While a patch is expected, the number of affected devices could already be in the tens of thousands.
What an unfortunate way to start the workweek. On Monday, Cisco released a new advisory about an actively exploited security vulnerability. Tracked as CVE-2023-20198, the bug has been assigned the maximum threat level in the CVSS system (10.0), making it a highly critical security vulnerability.
The CVE-2023-20198 flaw resides in the web UI feature of the Cisco IOS XE network operating system. When the HTTP or HTTPS Server feature is enabled, Cisco's advisory warns that the vulnerability could allow a remote, unauthenticated attacker to create a new user account on a vulnerable device with "privilege level 15 access." This essentially means that the attacker could easily gain total control of the affected system.
According to a threat advisory published by the Cisco Talos threat intelligence team, the CVE-2023-20198 vulnerability has been exploited for at least four weeks. Analysts discovered "unusual behavior" on a customer device dating back to September 18. The bug affects both virtual and physical devices running Cisco IOS XE, with tens of thousands of internet-connected network appliances potentially vulnerable to the issue (as indicated by recent Shodan search queries).
After a malicious actor gains authorized access, Cisco Talos explains that they attempt to establish a foothold in the system by creating a local user account. This account can then be utilized to implant a malicious script based on the Lua programming language, enabling cybercriminals to execute malicious commands at the system level every time the web server restarts. The implant does not persist after a reboot, but the newly created local user account remains active.
By exploiting the critical CVE-2023-20198 vulnerability, Cisco warns that hackers can also target a "medium" vulnerability tracked as CVE-2021-1435. Although this flaw was fixed two years ago, threat actors appear to have been able to compromise fully patched devices and implant their malicious payloads through an "undetermined mechanism."
Cisco Talos is actively working on a patch to address the CVE-2023-20198 threat. In the meantime, the company urges network administrators to check their Cisco equipment for signs of compromise, such as the presence of unknown, newly created user accounts. Cisco also recommends that HTTP and HTTPS servers be disabled on internet-facing systems, following standard industry operational security (OPSEC) practices.