Thousands of IOS XE devices from Cisco are still infected, prompting the company to urge customers to apply patches without delay.
The cybersecurity community is abuzz with the recent exploitation of critical and high-severity vulnerabilities in Cisco IOS XE software. These vulnerabilities, identified as CVE-2023-20198 and CVE-2023-20273, have been added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Cisco IOS XE software is widely used in enterprise switches, wireless controllers, aggregation routers, and access points, making these vulnerabilities a significant concern for network administrators worldwide.
The first vulnerability, CVE-2023-20198, allows an attacker to gain initial access and write a local user name and password through privilege 15 commands. On the other hand, the second vulnerability, CVE-2023-20273, enables an attacker to escalate privileges and write malicious implants to the file system.
An unidentified threat actor has exploited these vulnerabilities in the web user interface to infect tens of thousands of devices with a malicious backdoor. This backdoor, it seems, temporarily prevented scanners from detecting implants on thousands of devices.
Researchers at Fox-IT discovered that a variant of the malicious backdoor had upgraded its implant to check for a specific authorization HTTP header. If the specific authorization HTTP header is not set to a specific value, the implant will not respond, making it indistinguishable from uncompromised devices.
In response, Cisco Talos researchers issued enhanced detection guidance on Monday, and the Cisco Talos blog now includes a curl command to confirm the presence of implants on a device. CISA, too, has likely issued advisories and detection guidance, although specific details from these entities are not fully available at this time.
Given the active exploitation, network administrators are advised to apply the latest Cisco patches or workarounds issued for these CVEs. Additionally, deploying detection signatures from Cisco Talos and including monitoring of account changes on Cisco IOS XE devices is recommended. Following guidance from CISA on mitigation and incident response is also crucial if these devices are in use.
Since the available search results do not include detailed statements from Cisco Talos or CISA for these particular CVEs, consulting Cisco's official security advisories and CISA's KEV catalog directly is recommended for the most current detection methods and response actions.
According to Joost Gerritsen, a senior consultant at Fox-IT, the update rendered the initial scanning method ineffective, leading to a decline in the detection of compromised devices. It is estimated that more than 40,000 devices worldwide have been infected by the malicious backdoor, underscoring the urgency of the situation.
Stay vigilant, and ensure your network is secure. Apply the latest patches, deploy detection signatures, and stay informed for the latest updates on these critical vulnerabilities.
- The recent exploitation of critical vulnerabilities in Cisco IOS XE software, such as CVE-2023-20198 and CVE-2023-20273, highlights the importance of cybersecurity in the realm of technology and general-news, as these exploits could lead to crime-and-justice implications.
- The cybersecurity community is currently focused on addressing the vulnerabilities in Cisco IOS XE software, especially CVE-2023-20198, which allows an attacker to gain initial access, and CVE-2023-20273, enabling an attacker to escalate privileges.
- In the wake of the active exploitation of these vulnerabilities, it's crucial for network administrators to stay updated on the latest cybersecurity measures, including applying patches, deploying detection signatures, and following guidance from entities like CISA for effective mitigation and incident response.
