17. Oct. 2023NewsroomVulnerability / Network Security
Cisco has warned of a critical, unpatched vulnerability in IOS XE software that is being actively exploited.
The zero-day vulnerability rooted in the Web UI feature is assigned as CVE-2023-20198 and has received a maximum severity rating of 10.0 in the CVSS rating system.
It is worth noting that the flaw only affects corporate network devices that have the Web UI feature enabled and are exposed to the Internet or untrusted networks.
“This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with access permission level 15,” Cisco said in a statement Monday. “The attacker can then use this account to gain control of the affected system.”
The issue affects both physical and virtual devices that are running Cisco IOS XE software and also have the HTTP or HTTPS server feature enabled. As a workaround, it is recommended to disable the HTTP server feature on Internet-connected systems.
The network equipment specialist said it discovered the issue after detecting malicious activity on an unidentified customer device back on September 18, 2023, where an authorized user created a local user account under the username “cisco_tac_admin” from a suspicious IP address had created. The unusual activity ended on October 1, 2023.
In a second set of related activities discovered on October 12, 2023, an unauthorized user created a local user account under the name “cisco_support” from a different IP address.
This is said to have been followed by a series of actions that culminated in the deployment of a Lua-based implant that allows the actor to execute arbitrary system-level or IOS-level commands.
The installation of the implant is done by exploiting CVE-2021-1435, a now fixed bug affecting the web UI of Cisco IOS -2021-1435.
“For the implant to become active, the web server must be restarted. In at least one observed case, the server did not reboot, so the implant never became active despite installation,” Cisco said.
The backdoor, stored at the file path /usr/binos/conf/nginx-conf/cisco_service.conf, is not persistent, meaning it will not survive a device reboot. However, the rogue privileged accounts created remain active.
Cisco has likely attributed the two types of activity to the same threat actor, although the exact origin of the attacker is currently unclear.
“The first cluster may have been the actor’s first attempt and testing of its code, while activity in October appears to show that the actor has expanded its operations to include establishing persistent access through the use of the implant,” the company noted.
The development has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory and add the vulnerability to the catalog of known exploited vulnerabilities (KEV).
In April 2023, British and US cybersecurity and intelligence agencies warned of state-sponsored campaigns targeting global network infrastructure. Cisco explained that route/switch devices are a “perfect target for an adversary that wants to be both quiet and have access to critical intelligence capabilities.” as well as a foothold in a preferred network.”
Did you find this article interesting? follow us on Twitter and LinkedIn to read more exclusive content we publish.