Home » Business » Cisco iOS XE Software Vulnerability: Actively Exploited & High-Risk

Cisco iOS XE Software Vulnerability: Actively Exploited & High-Risk

Cisco is warning customers about an actively exploited vulnerability in its iOS XE software. The vulnerability allows hackers to gain admin rights to devices, allowing them to completely take over affected routers and switches.

According to Cisco, the vulnerability concerns a privilege escalation bug in Cisco IOS XE. The critical vulnerability, which is rated a CVSS severity score of 10 out of 10, only affects devices that use the IOS XE web UI in combination with the HTTP or Https Server features. The vulnerability is already being exploited, Cisco says. The bug can be tracked below CVE-2023-20198. The bug was discovered on September 28 after reports of ‘strange activity’ on a customer’s device. According to Cisco, the vulnerability has been actively exploited by an unknown person since at least September 18 threat actor.

The vulnerability allows remote attackers to create an admin account with ‘privilege level 15’ access. That is the highest level of access for Cisco equipment, giving users full control over a router or switch. The attacker can then create a local account. In ‘most cases’ a implant placed that can execute arbitrary code. That implant is removed during a system reboot, but the local account continues to work afterwards and so the implant can be reinstalled. It is placed in usr/binos/conf/nginx-conf/cisco_service.conf and consists of two strings code.

Attackers can exploit the vulnerability to take over Cisco IOS XE devices that are exposed to the Internet and use the HTTP Server and Https Server features. Attackers appear to be exploiting the vulnerability using a previous vulnerability: CVE-2021-1435. It will be fully patched in 2021. However, Cisco’s Talos security team says it has also seen fully patched devices that were still taken over. This is done in a ‘not yet determined’ manner.

Cisco users are advised to scan their network for “signs of compromise.” The easiest way is to search for unknown, newly created users on their devices. Users are also recommended to disable the HTTP Server and Https Server features on devices exposed to the Internet. Company published a blog post with instructions for determining contamination and further recommendations.

2023-10-17 08:25:35
#Cisco #warns #customers #critical #zeroday #iOS #software

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.