Cisco warns of new IOS XE zero-day actively exploited in attacks

Cisco warned admins today of a new maximum severity authentication bypass zero-day in its IOS XE software that lets unauthenticated attackers gain full administrator privileges and take complete control of affected routers and switches remotely.

The company says the critical vulnerability (tracked as CVE-2023-20198 and still waiting for a patch) only affects devices with the Web User Interface (Web UI) feature enabled, which also have the HTTP or HTTPS Server feature toggled on.

"Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks," the company revealed today.

"Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity."

The attacks were discovered on September 28 by Cisco's Technical Assistance Center (TAC) after reports of unusual behavior on a customer device.

Cisco identified related activity dating back to September 18 following further investigation into the attacks. The malicious activity involved an authorized user creating a local user account with the username "cisco_tac_admin" from a suspicious IP address (5.149.249[.]74).

The company discovered additional activity linked to CVE-2023-20198 exploitation on October 12, when a "cisco_support" local user account was created from a second suspicious IP address (154.53.56[.]231). The attackers also deployed a malicious implant via CVE-2021-1435 exploits and other unknown methods to execute arbitrary commands at the system or IOS levels.

"We assess that these clusters of activity were likely carried out by the same actor. Both clusters appeared close together, with the October activity appearing to build off the September activity," Cisco said.

"The first cluster was possibly the actor's initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant."

Mitigation measures

The company advised admins to disable the HTTP server feature on internet-facing systems, which would remove the attack vector and block incoming attacks.

"Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode," the company said.

"After disabling the HTTP Server feature, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the HTTP Server feature is not unexpectedly enabled in the event of a system reload."

If both the HTTP and HTTPS servers are in use, both commands are required to disable the HTTP Server feature.

Organizations are also strongly recommended to look for unexplained or recently created user accounts as potential indicators of malicious activity associated with this threat.

One approach to detecting the presence of the malicious implant on compromised Cisco IOS XE devices involves running the following command on the device, where the placeholder "DEVICEIP" represents the IP address under investigation:

curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"

"We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory. Cisco will provide an update on the status of our investigation through the security advisory," Cisco's Director for Security Communications Meredith Corley told BleepingComputer in an email statement.

Last month, Cisco cautioned customers to patch another zero-day vulnerability (CVE-2023-20109) in its IOS and IOS XE software targeted by attackers in the wild.

Update: Added statement from Cisco.