Cisco, a prominent network equipment provider, recently tackled two critical vulnerabilities (CVE-2023-20198 and CVE-2023-20273) impacting over 50,000 IOS XE devices. Within the past week, cybercriminals exploited these vulnerabilities, enabling them to breach and fully control the affected devices. Consequently, Cisco has released free software to rectify these security issues. The software patch provided by Cisco effectively addresses and resolves the vulnerabilities, ensuring that the affected IOS XE devices are protected against further exploitation. Customers are urged to prioritize the prompt application of this update to minimize potential risks and maintain a secure network infrastructure.
Here are details of the vulnerability and initial software fixes
As per the company’s update, the initial fixed software release is now available, with version 17.9.4a being the first to be deployed. Although additional updates are expected, the release dates have yet to be announced. Both recognized vulnerabilities are associated with the web UI of Cisco devices operating the IOS XE software. The severity ratings attributed to these vulnerabilities are 10/10 (maximum) for CVE-2023-20198 and 7.2 (high) for CVE-2023-20273. These vulnerabilities, if exploited, could enable an unauthenticated remote attacker to carry out various malicious actions, including gaining unauthorized access to sensitive information and executing arbitrary code on the device. Cisco has strongly advised its users to apply the patches as soon as possible to mitigate the risks associated with these vulnerabilities and prevent potential security breaches.
In-depth analysis of attackers’ methods
Cisco revealed that the adversaries initially infiltrated the devices by exploiting the critical vulnerability and then issued a privilege 15 command to establish a local account. Cisco devices have command permissions that range from levels zero to 15, with 15 being the highest privileged level, allowing complete control of the device. This infiltration and granting of level 15 privileges effectively gives the attackers full access to the device’s functions and features, enabling them to manipulate, disrupt, or compromise the system in any manner they choose. As such, network administrators must secure their Cisco devices by promptly patching the identified vulnerability and monitoring for any suspicious activity to prevent such unauthorized access.
The attacker subsequently utilized CVE-2023-20273 to elevate the newly created local user’s privileges and incorporated a malicious script into the file system. However, the implant is non-persistent, and rebooting the device will eliminate it. Despite the non-persistence of the implant, it can still cause significant damage while, in effect, giving the attacker heightened capabilities and access to sensitive data. To mitigate risks associated with this CVE, it is crucial for organizations to apply security patches, closely monitor their systems, and ensure staff adhere to best cybersecurity practices.
Featured Image Credit: Photo by Connor Danylenko; Pexels; Thank you!