Cisco has recently rolled out free software updates to address two critical vulnerabilities identified as CVE-2023-20198 and CVE-2023-20273. These vulnerabilities had been exploited as zero-days and compromised over 50,000 Cisco IOS XE devices. The updates intend to enhance the security infrastructure of the vulnerable devices and minimize the risks posed by these security flaws.

Risk Scoring

The Common Vulnerability Scoring System (CVSS) provides risk assessments for these vulnerabilities. The CVSSv3 scores are as follows:

  • CVE-2023-20273: CVSSv3 Score of 7.2
  • CVE-2023-20198: CVSSv3 Score of 10

The higher the score, the greater the potential impact and risk. A score of 10 for CVE-2023-20198 indicates an extremely critical risk level.

Affected Products

Devices running Cisco IOS XE Software with the web UI feature enabled are affected by these vulnerabilities. In other words, if your Cisco device has the web UI feature active, you are at risk.

Solutions

Cisco has updated its original advisory with information about the first fixed software release available for download from the company’s Software Download Center. At the moment, the first fixed release is version 17.9.4a. Future updates will be rolled out, although the dates remain undisclosed.

Software Release Details

  • First Fixed Release for 17.9: 17.9.4a (Available)
  • First Fixed Release for 17.6: 17.6.6a (To Be Determined)
  • First Fixed Release for 17.3: 17.3.8a (To Be Determined)
  • First Fixed Release for 16.12 (Catalyst 3650 & 3850 only): 16.12.10a (To Be Determined)

Vulnerability Details

Both identified vulnerabilities reside in the web UI of Cisco devices operating on the IOS XE software. The threat actor exploited these flaws initially to gain access and subsequently executed a “privilege 15 command” to establish a regular local account. From there, the attacker escalated the user’s privileges to root level using CVE-2023-20273 and implanted a malicious script. It should be noted that this script does not remain after a system reboot, lacking persistence.

Sudden Drop in Hacked Cisco IOS XE Hosts

Initially, close to 10,000 devices were compromised, and this number soared to over 40,000. Interestingly, a steep decline in the number of affected devices was later observed. Researchers at Fox-IT provided insight into this decline, revealing that the malware was modified to check for an Authorization HTTP header value before responding. Consequently, a different assessment showed that 37,890 devices are still compromised.

Recommendations

Update Affected Devices

Ensure that your Cisco devices are updated to the most secure software versions as soon as possible.

Disable Web UI Feature

Administrators should immediately disable the web UI feature on exposed systems by executing the ‘no ip http server’ or ‘no ip http secure-server’ commands. After disabling this feature, save the running configuration to prevent reactivation upon system reload.

Forensic Triage

Administrators should conduct forensic triage on affected IOS XE systems with the help of the repository provided, which contains essential steps to determine if the system has been compromised.

Ending Note

While Cisco has taken prompt action by releasing an update for IOS XE 17.9, several other versions remain vulnerable as updates for them are still pending. As a preventive measure, the best course of action is to disable the HTTP server feature on the vulnerable IOS XE devices, effectively nullifying the attack vector.

By adhering to the guidelines provided, users can safeguard their systems and significantly mitigate the risks associated with these vulnerabilities.

Also Read: