Thousands of Cisco IOS XE devices remain infected, prompting the company to urge customers to apply patches
Critical Vulnerabilities in Cisco IOS XE Software Under Active Exploitation
A series of vulnerabilities in the Cisco IOS XE Software have been discovered, with one of them, CVE-2023-20273, being actively exploited by an unknown threat actor. This command injection vulnerability allows authenticated remote attackers to execute arbitrary commands, potentially leading to privilege escalation and the writing of malicious implants to the file system.
According to Joost Gerritsen, a senior consultant at Fox-IT, the exploitation of CVE-2023-20273 has rendered the initial scanning method ineffective, leading to a decline in the detection of compromised devices. It is estimated that more than 40,000 devices worldwide have been infected.
Researchers at Fox-IT found that the attacker upgraded the malicious implant to check for a specific authorization HTTP header. If the header is not set, the implant will not respond with a hexadecimal string, making it indistinguishable from uncompromised devices.
To address this issue, Cisco Talos has issued enhanced detection guidance to improve the identification of exploitation patterns and malicious activity related to CVE-2023-20273. The Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2023-20273 to its Known Exploited Vulnerabilities catalog.
Prior to CVE-2023-20273, another critical vulnerability, CVE-2023-20198, was discovered. This vulnerability allows an attacker to gain initial access and write a local user name and password through privilege 15 commands.
Cisco has urged a security fix for both CVE-2023-20273 and CVE-2023-20198. The company recommends applying vendor-provided patches and following security advisories to mitigate risks from these vulnerabilities.
In response to the ongoing threat, the Cisco Talos blog now includes a curl command to confirm the presence of implants on a device. Cisco IOS XE software is widely used in enterprise switches, wireless controllers, aggregation routers, and access points, making it essential for affected organizations to prioritize patching and mitigation efforts.
Sources:
[1] Cisco Talos. (2023). Cisco IOS XE Software WebUI Command Injection Vulnerability. [online] Available at: https://talosintelligence.com/vulnerability_reports/TALOS-2023-0478
[2] Fox-IT. (2023). Alert: Cisco IOS XE WebUI Command Injection Vulnerability. [online] Available at: https://www.fox-it.com/en/threat-analysis/alert-cisco-ios-xe-webui-command-injection-vulnerability/
[3] Cisco. (2023). Security Advisory: Cisco IOS XE Software WebUI Command Injection Vulnerability. [online] Available at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20230308-iosxe-webui-cmdinj
- The active exploitation of the vulnerability CVE-2023-20273, a command injection vulnerability in Cisco IOS XE Software, highlights the critical role that cybersecurity plays in mitigating technology-based threats.
- In light of the ongoing active exploitation of CVE-2023-20273 and the previous discovery of CVE-2023-20198, organizations using Cisco IOS XE software in their enterprise switches, wireless controllers, and other devices are urged to prioritize patching and cybersecurity measures to safeguard their systems.
