A flaw exists within the Web User Interface of Cisco IOS XE Software that could potentially enable privilege elevation. If exploited successfully, this vulnerability could permit a remote attacker without authentication to establish an account on the impacted system with a privilege level 15 access. Subsequently, this account could be utilized to seize control of the affected system. The Web UI in question is an integral, GUI-driven management tool within Cisco IOS XE Software, provided as part of the default software image.
- This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled.
October 27th – UPDATED SYSTEMS AFFECTED:
- Cisco IOS XE Software Releases prior to 17.9.4a
- Cisco IOS XE Software Releases prior to 17.6.6a
- Cisco IOS XE Software Releases prior to 17.3.8a
- Cisco IOS XE Software Releases prior to 16.12.10a
Before patching your system, you should identify if hackers have altered the device code with one of two methods: run the Fox-IT github detector code or the Orange Python script to scan for the presence of a malicious implant on a network device running Cisco IOS XE. If a hacked device is identified, the following steps may help.
- Remove all recently added accounts to the IOS XE device.
- Reboot the device (this clears remote sessions into the device).
- Patch the Device and rerun the Python script to determine if any issues remain.
- Check the device configuration and restore to a secure configuration available prior to initial attacks as far back as Sept. 27th.
Cisco has released appropriate fixed software releases relating to the vulnerability. They do advise that customers upgrade to a fixed version. For detailed platform release information, see:
For CyberHoot vCISO clients, this is a Critical severity issue that should be patched within 1-3 days.
Emergency Workaround if Patching is not Possible:
For versions that do not have a patch available, Cisco does offer work arounds within the following link:
Risk persists after device reboot
Cisco disclosed CVE-2023-20198 on Monday but threat actors had been leveraging it before September 28, when it was a zero-day, to create a high-privilege account on affected hosts and take full control of the device.
Cisco updated its advisory today with new attacker IP addresses and usernames, as well as fresh rules for the Snort open-source network intrusion detection system and intrusion prevention system.
The researchers note that threat actors behind these attacks use a malicious implant, which does not have persistence and is removed after rebooting the device.
However, the new accounts it helped create continue to be active and “have level 15 privileges, meaning they have full administrator access to the device.”
Based on Cisco’s analysis, the threat actor collects details about the device and carries out preliminary reconnaissance activity. The attacker is also clearing logs and removing users, probably to hide their activity.
You have a Vulnerability Alert Management Process, right?
If you’re a subscriber to CyberHoot’s awareness training platform, you have access to our Policy and Process library which contains the Vulnerability Alert Management Process (VAMP) document. This document prescribes how to respond to situations like this and in what time frame. If your company has not yet adopted a VAMP-like process, now is a great time to get started.
If you’re a vCISO client, we’ve built this process for you and now you must execute according to the prescribed measures and timeframes. If you’re not a vCISO client or CyberHoot Product subscriber, perhaps you want to sign up here.