Urgent Security Alert: Critical Cisco IOS XE Zero-Day Under Active Attack
A critical, unpatched vulnerability has been discovered in Cisco’s IOS XE software that is being actively exploited in the wild to take over network devices. This zero-day flaw allows a remote, unauthenticated attacker to gain full administrative control over affected systems, posing a severe risk to network integrity and security.
The vulnerability, identified as CVE-2023-20198, carries a maximum CVSS severity score of 10.0, highlighting its critical nature. It specifically targets the web user interface (UI) feature of the IOS XE software. Attackers are exploiting this flaw to create a local user account with the highest-level privilege access—level 15—effectively handing them complete control of the device.
Once this initial access is established, the attacker can then install a malicious implant that allows them to execute arbitrary commands at a system or root level. This implant is not persistent across reboots, but the administrator account they create is, giving them a permanent backdoor into the compromised network.
How the Attack Works
The attack is a two-stage process that targets a core component of the network operating system:
- Initial Access: The attacker targets the publicly accessible web UI of a Cisco device running a vulnerable version of IOS XE software. They exploit CVE-2023-20198 to create a new, unauthorized local user with full administrative privileges.
- Implant Deployment: Using this new admin account, the attacker logs in and deploys a sophisticated implant. This malicious code is written in the Lua programming language and allows the attacker to execute any command they wish on the underlying operating system.
This level of access allows a threat actor to monitor network traffic, pivot to other devices on the network, exfiltrate sensitive data, or disrupt network operations entirely.
Is Your Network at Risk?
Your systems are vulnerable if they meet two key conditions:
- You are running a version of Cisco IOS XE software.
- The web UI feature (HTTP Server) is enabled and exposed to the internet or other untrusted networks.
The web UI is active if the ip http server or ip http secure-server commands are configured in your system. To check if this feature is enabled, you can use the show running-config | include ip http server|secure-server command on your device. If either command is present in the output, the system is potentially vulnerable.
Immediate Mitigation Steps: How to Protect Your Devices
As there is currently no patch available from Cisco, immediate action is required to mitigate this threat. The most effective way to protect your network is to disable the HTTP Server feature on all internet-facing systems.
To disable the feature, use the following commands in global configuration mode:
no ip http server
no ip http secure-server
Disabling the HTTP/HTTPS server removes the attack vector exploited by CVE-2023-20198. If you cannot disable the feature due to operational requirements, you must restrict access to it. Ensure that the web UI is only reachable from a limited set of trusted IP addresses or internal networks.
How to Check for Compromise
It is crucial to investigate your devices for any signs of compromise. Follow these steps to check for malicious activity:
Check System Logs: Review your logs for messages related to the creation of new, unknown user accounts. Look specifically for log messages similar to this:
%WEBUI-6-ACCOUNT_CREATED: User <username> was created. If you do not recognize the username, your system may be compromised.Check for Malicious Implants: Run the following command on your device to check for the presence of the known malicious implant:
curl -k -X POST "https://<DEVICE_IP>/webui/logoutconfirm.html?logon_hash=1"If the command returns a long hexadecimal string, it is a strong indicator that the implant is present and the device is compromised.
Administrators who find evidence of a compromise should immediately take steps to contain the incident, remove any unauthorized user accounts, and prepare for a full system recovery once a patch is available. It is highly recommended to monitor official security advisories from Cisco for the release of a software update that addresses this critical vulnerability.
Source: https://www.bleepingcomputer.com/news/security/cisco-warns-of-ios-zero-day-vulnerability-exploited-in-attacks/
