Critical Cisco zero-day vulnerability has been under attack for a month

Cisco has confirmed that a critical zero-day vulnerability in the web user interface of IOS XE software has been under attack from an unknown threat actor since 18 September. The vulnerability, CVE-2023-20198, has a Common Vulnerability Scoring System (CVSS) severity rating of 10/10 — the highest possible rating.

In a mid-October advisory, Cisco said that it was “aware of active exploitation of a previously unknown vulnerability” which, when exposed to the internet or untrusted networks, could enable remote and unauthenticated attackers to gain privilege level 15 access with a newly created account. This, in turn, would give the attacker control of the compromised device.

Impacting both physical and virtual devices that are running the IOS XE software, the vulnerability requires the HTTP or HTTPS server feature to be enabled.

An analysis of the vulnerability by security researchers at Tenable states that — while no details have been shared on how CVE-2023-20198 pulls off the privilege escalation, for obvious reasons — the attackers had previously used an older vulnerability, CVE-2021-1435.

This command line injection vulnerability, impacting the same web user interface of Cisco ISO XE, was patched way back in March 2021. However, a blog by the Cisco TALOS security intelligence group confirms that devices patched against CVE-2021-1435 were still compromised by the attackers using the latest zero-day. The mechanism allowing this is, as of yet, unknown.

How to protect against the Cisco zero-day vulnerability

While there are no workarounds or patches at this time, Cisco strongly recommends that users “disable the HTTP server features on all internet-facing systems”. Something that TALOS intelligence says is “consistent with not only best practices but also guidance the US government has provided in the past on mitigating risk from internet-exposed management interfaces.”

Users should log into the system and use the “show running-config|include ip http server|secure|active” command in the CLI to determine if the HTTP server feature is enabled.

“Check for the presence of the ip http server command or the ip http secure-server command in the global configuration,” Cisco states. “If either command is present, the HTTP Server feature is enabled for the system.”

Visit the Cisco advisory for indicators of compromise that give explicit instructions on how to determine if a system may have been compromised by attackers exploiting CVE-2023-20198.

Cisco further advises that the security advisory will be updated once a software patch is available, something it is working “non-stop” to provide as soon as possible.

Most security professionals would advise that enabling HTTP/HTTPS server features on an internet-facing system is something that nobody should be doing. Yet searches using the SHODAN internet-connected devices engine suggest that nearly 150,000 devices are using the Cisco ISO XE web user interface to do just that.

Update: 19 October 2023

We have received this extra comment from Corey Sinclair, Cyber Threat Intelligence Analyst, Horizon3.ai. “While there is no patch available just yet, it’s highly recommended to keep abreast of any updates or mitigation options from Cisco.

“And also, when implementing technologies and updating systems, we urge that it’s important that organisations don’t keep default settings or credentials, and do regularly do autonomous internal and external pentest operations to find, fix and verify any weaknesses that can be actively exploited.”

More cybersecurity coverage

• How to secure your business online
• HTTP/2 Rapid Reset: AWS and Google confirm record-breaking DDoS attack
• cURL vulnerability means every device connected to the internet will need to be patched tomorrow