Serious vulnerability in Cisco IOS XE puts thousands of devices at risk
by Nico Pätzel
Enhanced EU Cybersecurity Regulation for CRITIS
Cisco, a global leader in networking solutions, has issued an urgent security advisory for switches and routers running the IOS XE operating system. The highly critical zero-day vulnerability (CVE-2023-20198) was announced a few days ago. Through vulnerability in the web interface, attackers can create an admin user without prior login and thus take control of the device. We recommend that network administrators act quickly as the vulnerability is currently being actively exploited by attackers and poses a serious threat to the IT security of companies worldwide.
What exactly has happened?
On 16 October 2023, Cisco disclosed details of a worrying vulnerability in Cisco IOS XE. It is currently still being actively exploited by attackers. If a remote attacker gains access to vulnerable system, they can create user accounts with level 15 access rights without authentication. This allows attackers to take control of the affected device and conduct targeted man-in-the-middle attacks within the network. It involved deploying an implant consisting of a configuration file ("cisco_service.conf"), used to interact with the implant, and determining the new web server endpoint (URI path).
In short: An attacker who gains access to the web user interface of a device with IOS XE and sends HTTP requests to this interface can create an admin user account in no time without prior login!
Apparently, backdoors
have thus already been installed on network devices for several weeks. The subsidiary Talos has already published recommendations on how Cisco customers can check their devices for a possible compromise. This post will be updated continuously.
Who is affected by the vulnerability in Cisco IOS XE?
The impact of this vulnerability is far-reaching and affects all devices that use the Cisco IOS XE operating system and whose web UI is enabled. This includes devices such as switches, routers and WLAN controllers.
What is the risk of the vulnerability in Cisco IOS XE?
The vulnerability was assessed with a maximum CVSS score of 10/10! The lack of an available patch exacerbates the situation considerably. IT security managers are dependent on alternative protective measures. Since patches are missing so far, Cisco itself has published recommendations for those affected.
Thousands of systems are already at risk
Already more than 10,000 Cisco IOS XE devices are affected by this vulnerability. These findings come from a wave of attacks on the affected devices. In Germany alone, about 1,700 devices with Cisco IOS XE are freely accessible via the internet and thus at risk.
Recommendation for action
If you are using IOS XE systems in your company, we strongly recommend that you check your systems for possible compromises and examine the system logs for suspicious activity. Administrators whose network contains Cisco devices running IOS XE should therefore definitely check them and consider them compromised until then.
What to do now:
- Check each device for a possible backdoor with the command curl -X POST. (http://IP/webui/logoutconfirm.html?logon_hash=1; the placeholder IP stands for the IP address of the device). If infected devices are discovered, quarantine them immediately and reinstall a configuration backup.
- Devices that do not have a backdoor should be checked via the SSH admin login for unexplained user accounts with administrator rights (authorisation level 15) or suspicious entries in the log files.
The BSI has published further measures and instructions for checking one's own systems in a PDF.