This latest Cybersecurity Threat Advisory involves a critical authentication bypass zero-day vulnerability (CVE-2023-20198) discovered in Cisco IOS XE software, allowing unauthenticated attackers to gain full administrator privileges over affected routers and switches. This vulnerability is of utmost concern as it can lead to unauthorized access and complete control of compromised devices, potentially resulting in severe damage. Cisco has advised immediate action to mitigate this threat by disabling the HTTP Server feature on internet-facing systems and recommends monitoring for suspicious user accounts.
What is the threat?
The threat involves a maximum severity authentication bypass zero-day vulnerability (CVE-2023-20198) in Cisco IOS XE software. This vulnerability impacts devices with the Web User Interface (Web UI) feature enabled and the HTTP or HTTPS Server feature toggled on. Exploiting this vulnerability allows attackers to create an account with privilege level 15 access, granting them full control of the compromised device remotely.
Why is it noteworthy?
This threat is noteworthy due to its critical impact on Cisco IOS XE software, potentially resulting in unauthorized access and control of network infrastructure. Active exploitation has been identified, indicating an urgent need to address this vulnerability. The exploit allows attackers to establish persistent access through a malicious implant, posing a significant risk to affected organizations and individuals.
What is the exposure or risk?
The vulnerability exposes affected routers and switches to complete compromise, enabling unauthorized access and potential data breaches. Attackers can create privileged accounts and execute arbitrary commands, leading to severe damage of the compromised devices. Any organization or individual relying on Cisco IOS XE software with the specified configurations is at high risk of exploitation.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of potential cyber-attacks:
- Apply security mitigations:
- Disable the HTTP Server feature on all internet-facing systems using no ip http server or no ip http secure-server commands in global configuration mode.
- Save the running-configuration to prevent unexpected re-enabling of the HTTP Server feature using copy running-configuration startup-configuration command.
- Monitor for suspicious activity:
- Regularly check for unexplained or recently created user accounts, particularly “cisco_tac_admin” and “cisco_support,” indicating potential compromise.
- Employ detection methods like the provided curl command to check for the presence of the malicious implant: curl -k -X POST “https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1”
- Stay informed:
- Stay up to date with Cisco’s security advisories for the latest information and patches regarding this vulnerability.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.