Critical, Unpatched Cisco Zero-Day Bug Is Under Active Exploit

/in


Cisco is asking customers to immediately disable the HTTPS Server feature on all of their Internet-facing IOS XE devices to protect against a critical zero-day vulnerability in the Web User Interface of the operating system that an attacker is actively exploiting. 

Cisco IOS XE is the operating system that Cisco uses for its next-generation enterprise networking gear.

The flaw, assigned as CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled. No patch or other workaround is currently available for the flaw, which Cisco described as a privilege escalation issue that enables complete device takeover. Cisco has assigned the vulnerability a maximum possible severity rating of 10 out of 10 on the CVSS scale.

CVE-2023-20198: Maximum-Severity Flaw

“The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access,” Cisco said in an advisory on Oct. 16 on the new zero-day bug. “The attacker can then use that account to gain control of the affected system.” Privilege level 15 on a Cisco IOS system basically means having complete access to all commands including those for reloading the system and making configuration changes.

An unknown attacker has been exploiting the flaw, to access Cisco, Internet-facing IOS XE devices and drop a Lua-language implant that facilitates arbitrary command execution on affected systems. To drop the implant the threat actor has been leveraging another flaw — CVE-2021-1435 — a medium severity command injection vulnerability in the Web UI component of IOS XE, that Cisco patched in 2021. The threat actor has been able to deliver the implant successfully even on devices that are fully patched against CVE-2021-1435 via an as yet undetermined mechanism, Cisco Talos researchers said in an a separate advisory.

Cisco said it first got wind of the new vulnerability when responding to an incident involving unusual behavior on a customer device on Sept. 28. The company’s subsequent investigation showed that malicious activity related to the vulnerability actually may have begun as early as Sept. 18. That first incident ended with the attacker leveraging the flaw to create…

Source…