Critical Cisco Vulnerability (CVE-2023-20198): How to Protect Your Network Now
A critical zero-day vulnerability is being actively exploited in the wild, targeting Cisco devices running IOS XE software. This security flaw allows unauthenticated remote attackers to gain full administrative control of affected systems, posing a severe risk to network integrity and security.
If your organization uses Cisco routers and switches, immediate action is required to assess your exposure and mitigate this threat.
What is the Vulnerability?
The vulnerability, tracked as CVE-2023-20198, exists in the Web User Interface (Web UI) feature of Cisco IOS XE software. Attackers can exploit this flaw to create a new user account on a targeted device with privilege level 15, which grants full administrative control.
Once an attacker has this level of access, they can:
- Monitor all network traffic passing through the device.
- Inject or manipulate traffic.
- Pivot to other devices within your internal network.
- Install persistent malware or backdoors.
This attack is particularly dangerous because it does not require the attacker to have any prior authentication. The only prerequisite is that the device’s Web UI is accessible from the internet or an untrusted network.
Is Your Network at Risk?
Your network devices are vulnerable if they meet the following two conditions:
- They are running a version of Cisco IOS XE software.
- The Web UI (HTTP/HTTPS Server) feature is enabled and exposed to the internet or any untrusted network.
It is crucial to understand that even if you restrict access to the Web UI via an access control list (ACL), your device may still be at risk. The security advisory notes that the exploit appears to bypass standard access controls.
How to Check for Signs of Compromise
Attackers exploiting this vulnerability have been observed creating unauthorized local user accounts and installing malicious implants. You should immediately check your devices for the following indicators of compromise (IoCs):
Check for Unauthorized User Accounts: Log into your Cisco devices and run the following command to review all configured local users:
show running-config | include usernameCarefully examine the output for any usernames that you or your team did not create. Attackers have been seen creating generic usernames like
cisco_tac_adminorcisco_support.Review System Logs: Check device logs for entries containing
%WEBUI-6-INSTALL_OPERATION_INFO. This log message indicates that a file was installed via the Web UI, which could be a sign of a malicious implant. A log entry may look like this:
%WEBUI-6-INSTALL_OPERATION_INFO: User: user, Addr: x.x.x.x, File: [implant_filename], Operation: Install, Result: SuccessNote the username and source IP address (
Addr: x.x.x.x) to identify the potential attacker.
Immediate Steps to Protect Your Network
Given the severity and active exploitation of this vulnerability, prompt action is essential.
1. The Primary Solution: Apply Security Patches
Cisco has released software updates to address this vulnerability. The most effective way to secure your devices is to update your IOS XE software to a patched version immediately. Check the official Cisco Security Advisory for the specific patched versions corresponding to your device models and software release train.
2. Mitigation for Unpatched Systems: Disable the Web UI
If you cannot apply the patch right away, you must disable the vulnerable component. The recommended mitigation is to disable the HTTP/HTTPS server feature on all internet-facing systems. This action removes the attack vector entirely.
To disable the feature, use the following commands in global configuration mode:
no ip http serverno ip http secure-server
Disabling this feature is the only reliable mitigation short of patching. Do not rely solely on access control lists, as they may not be sufficient to block this exploit.
Staying vigilant against evolving threats is a cornerstone of modern network security. This vulnerability serves as a critical reminder to maintain a robust patching schedule, minimize your network’s attack surface by disabling unnecessary features, and regularly audit your systems for signs of unauthorized activity.
Source: https://securityaffairs.com/182564/hacking/cisco-fixed-actively-exploited-zero-day-in-cisco-ios-and-ios-xe-software.html
