Attackers Exploiting Cisco Zero-Day With Malicious BackdoorSecond Flaw in IOS XE Operating System Puts Thousands of Cisco Users at Risk
Threat actors are exploiting another zero-day flaw in Cisco's IOS XE software to implant a malicious backdoor. The IOS XE operating system runs on a wide range of Cisco networking devices, including routers, switches, wireless controllers, access points and more.
The vulnerability, disclosed by Cisco as CVE-2023-20273, exploited a zero-day flaw released at the start of the week and tracked as CVE-2023-20198, which allows a remote, unauthenticated attacker to create an account on an affected device and use that account to obtain full administrator privileges, enabling a complete takeover of the system.
The latest activity includes deploying a Lua-based implant that enables the attacker to execute arbitrary commands at the system level or IOS level, Cisco said. CVE-2023-20198 has a CVSS score of 10.0, and CVE-2023-20273 has a CVSS score of 7.2.
"The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system," Cisco's advisory said. "The web UI is an embedded GUI-based system management tool that provides the ability to provision the system, to simplify system deployment and manageability, and to enhance the user experience."
The San Jose, California-based tech giant said it has identified a fix; initiated the build, test and release process; and expects a software release on Cisco Software Download Center on Sunday.
Earlier this month, Cisco released urgent fixes to a critical vulnerability affecting an emergency communication system that tracks callers' location in real time. A developer inadvertently hard-coded credentials in Cisco Emergency Responder tracking and routing software, opening up a permanent backdoor for potential unauthenticated attackers (see: Credentials Hard-Coded in Cisco Emergency Location Tracker).
The potential malicious activity was first uncovered Sept. 28, when the team behind Cisco's Technical Assistance Center identified unusual behavior on a customer device. Further investigation revealed the first instance of the activity as early as Sept. 18.
The vulnerabilities affect Cisco IOS XE software when the web UI feature is enabled through the ip http server or ip http secure server commands.
To determine if a system has been compromised, Cisco recommends performing system logs checks to understand the presence of log messages in which users could be cisco_tac_admin, cisco_support or any configured, local user that is unknown to the network administrator.
"Disabling the HTTP Server feature eliminates the attack vector for these vulnerabilities and may be a suitable mitigation until affected devices can be upgraded," Cisco said. "Administrators can disable the HTTP Server feature by using the no ip http server or no ip http secure-server command in global configuration mode."
Cisco also said limiting access to the HTTP Server to trusted networks will limit exposure to these vulnerabilities.
Threat intelligence provider Censys on Oct. 18 found over 40,000 vulnerable devices but that number fell to 36,541 within 24 hours.