What should you know about CISCO’s high-severity zero-day vulnerabilities? 

What should you know about CISCO’s high-severity zero-day vulnerabilities? 

CVE 2023-20198 – CISCO’s maximum severity zero-day vulnerabilities

Cisco has issued an alert over its critical zero-day vulnerability detected in their IOS XE software range.

The vulnerability is targeted toward systems that have HTTP/HTTP servers turned on.  More than 40000 Cisco devices are now affected by this vulnerability, with 10,000 Cisco devices found with an implant for arbitrary code execution.

The critical vulnerability CVE-2023-20198 is assigned a severity rating of 10. That is the highest rating given on a CVSS vulnerability severity scale. It is present in the Web UI component of IOS XE software.  

This vulnerability allows privilege escalation that enables an attacker to gain a full takeover of the system in that he has implanted the malware to. It means that cyber attackers can exploit this vulnerability to hijack a CISCO router and gain control of it.    

The countries that are impacted the most by this vulnerability include the US, the Philippines, Mexico, Chile, and India.   

Here are some of the facts about the said critical vulnerability:

• More than 6509 hosts were affected in the US alone   
• There was a 40% jump in the number of hosts affected within 24 hours of detection   
• Earlier CISCO had issued high-severity vulnerability CVE202344487 

How did it happen?  

The attackers have exploited the devices by creating new accounts on the devices and gaining root control of the system using Lua-based implants that allow them to execute independent commands. According to Cisco, attackers first exploited the IOS XE command injection vulnerability that was tracked as CVE 2021 1435 to deploy the implant, but Cisco found that there were more zero-day vulnerabilities that have enabled attackers to attack systems patched against the said vulnerability. Later Cisco confirmed that there was another zero-day vulnerability that was being tracked as CVE-2023-20273. Cisco has released an official advisory that said that   

“The attacker first exploited the CVE 2023 20189 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging another new local user to elevate privilege to root and write the implant to the file system.” Cisco has added that CVE 2021 1435 isn’t exploited anymore to orchestrate these attacks.   

Something seems suspicious: The big drop in the number of infected  

There are more than 40000 devices that were being impacted by the said vulnerability and numerous cybersecurity experts have observed that a significant drop in this number to mere 100 systems is an indicator that attackers are trying to cover up their attack and trying to hide the implant. The company has warned that there might still be many devices that are vulnerable yet have bypassed the scanners.  Experts are still unable to trace down who might be behind the attack or their goals.  These vulnerabilities are added to the Known Exploited Vulnerabilities (KEV) Catalog by CISA with the issuance of a warning to federal agencies to address the vulnerabilities on the most immediate basis.   

Good news: Patches released  

CISCO has released patches for the said vulnerabilities CVE 2023 202198 and CVE 2023-20273 that more than 50k CISCO IOS XE Hosts are affected by. This software release is available for everyone to download at CISCO Download Center with the latest update being 17.9.4.a.   

The networking gear vendor has warned that the vulnerabilities can be exploited if a web UI feature is turned on through HTTP server or IP HTTP secure server commands. 

SharkStriker’s recommendations  

Since Cisco has recently come up with the patches for the said vulnerability, we recommend that organizations should immediately implement them to prevent threat actors from exploiting them.  We have undertaken the following security measures to secure our customers and partners from the said vulnerability:   

• To ensure that their IT environment is secure, we have engaged in round-the-clock security  
• Our threat hunters have engaged in proactive scanning to determine Indicators of Compromise to address any hidden vulnerabilities before they create disruption.  
• We configured their cyber detection mechanisms for quick detection and response to any suspicious activities  
• We have reconfigured their existing detection solutions in place with all the latest strategies and best practices for mitigation  
• We enabled STRIEGO feature that allowed our customers to check the status of their cybersecurity posture in real time 
• Through STRIEGO our customers were able to implement the best practices timely with step-by-step support.  

To summarize 

Over 40000+ devices were affected in this massive zero-day vulnerability exploitation by attackers wherein they would gain full control of the system by injecting it with malware. 

The vulnerabilities were grouped as CSCwh87343 were found in Cisco devices that were based on IOS XE software. CVE-2023-20273 has been assigned a maximum severity score of 10 whereas CVE 2023-20198 assigned 7.2. SharkStriker identifies and implements some security measures to proactively render assistance to its customers and partners worldwide to mitigate the effects of this vulnerability.