Cisco has issued a serious warning regarding a critical security vulnerability that is unpatched and actively being exploited in the wild. This security flaw affects the IOS XE software. This zero-day vulnerability, identified as CVE-2023-20198, has been assigned the highest severity rating of 10.0 on the CVSS rating system. It’s important to note that this vulnerability exclusively affects enterprise network equipment with the Web-UI feature enabled and exposed to the internet or untrusted networks.
According to Cisco’s Monday advisory, this vulnerability allows remote, unauthenticated attackers to create an account on a vulnerable system with full access at privilege level 15. Subsequently, they can use this account to take control of the compromised system. This issue affects both physical and virtual devices running Cisco IOS XE software with the HTTP or HTTPS server feature enabled. As a precaution, it is strongly recommended to disable the HTTP server feature on systems exposed to the internet.
Cisco first noticed the problem when suspicious activities were observed on an unspecified customer’s device on September 18, 2023. In this incident, an authorized user from an unusual IP address created a local user account named “cisco_tac_admin.” This abnormal activity ceased on October 1, 2023. On October 12, 2023, a second group of similar activities was detected, with an unauthorized user creating a local user account named “cisco_support” from a different IP address. This was followed by a series of actions leading to the deployment of a Lua-based implant that allowed the attacker to execute arbitrary commands at the system or IOS level.
The installation of this implant involves exploiting CVE-2021-1435, a previously patched vulnerability in the web UI of Cisco IOS XE software, as well as an unspecified mechanism in cases where the system is fully patched against CVE-2021-1435. To activate the implant, the web server needs to be restarted, although in at least one observed instance, the server was not restarted, and the implant remained inactive. The backdoor, located under “/usr/binos/conf/nginx-conf/cisco_service.conf,” is not persistent, meaning it will not survive a device restart. However, the rogue privileged accounts created during the compromise remain active.
Although Cisco attributed both activity groups to the same threat actor, the exact origins of the attacker remain unclear. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning and added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog.
In April 2023, British and U.S. cybersecurity and intelligence agencies warned of state-sponsored campaigns targeting global network infrastructure. Cisco emphasized that router and switch devices are attractive targets for attackers seeking a low profile and access to critical intelligence capabilities and a preferred network.
Update: A recent report from VulnCheck shows that attackers have exploited CVE-2023-20198 to compromise and infect numerous Cisco IOS XE devices with malicious implants. VulnCheck has also released a scanner to detect the implant on affected devices. Security researcher Jacob Baines expressed concern about this situation, as privileged access to IOS XE likely gives attackers the ability to monitor network traffic, infiltrate protected networks, and execute various man-in-the-middle attacks.
Furthermore, the Attack Surface Management company Censys has identified 41,983 devices exhibiting signs of compromise and the installation of the backdoor, with the majority of infections occurring in the U.S., followed by several other countries. Cisco has issued a statement emphasizing its commitment to transparency and is diligently working on a software solution. Customers are strongly urged to follow the recommendations outlined in the security advisory, and Cisco will continue to provide updates in the same advisory. Additional details can be found in the security advisory and the Talos blog.