Critical, Unpatched Cisco Zero-Day Bug Is Under Active Exploit

Cisco is asking customers to immediately disable the HTTPS Server feature on all of their Internet-facing IOS XE devices to protect against a critical zero-day vulnerability in the Web User Interface of the operating system that an attacker is actively exploiting. 

Cisco IOS XE is the operating system that Cisco uses for its next-generation enterprise networking gear.

The flaw, assigned as CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled. No patch or other workaround is currently available for the flaw, which Cisco described as a privilege escalation issue that enables complete device takeover. Cisco has assigned the vulnerability a maximum possible severity rating of 10 out of 10 on the CVSS scale.

CVE-2023-20198: Maximum-Severity Flaw

"The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access," Cisco said in an advisory on Oct. 16 on the new zero-day bug. "The attacker can then use that account to gain control of the affected system." Privilege level 15 on a Cisco IOS system basically means having complete access to all commands including those for reloading the system and making configuration changes.

An unknown attacker has been exploiting the flaw, to access Cisco, Internet-facing IOS XE devices and drop a Lua-language implant that facilitates arbitrary command execution on affected systems. To drop the implant the threat actor has been leveraging another flaw — CVE-2021-1435 — a medium severity command injection vulnerability in the Web UI component of IOS XE, that Cisco patched in 2021. The threat actor has been able to deliver the implant successfully even on devices that are fully patched against CVE-2021-1435 via an as yet undetermined mechanism, Cisco Talos researchers said in an a separate advisory.

Cisco said it first got wind of the new vulnerability when responding to an incident involving unusual behavior on a customer device on Sept. 28. The company's subsequent investigation showed that malicious activity related to the vulnerability actually may have begun as early as Sept. 18. That first incident ended with the attacker leveraging the flaw to create a local user account with admin privileges from a suspicious IP address.

Malicious Activity Cluster Targets Cisco Networking

On October 12, Cisco's Talos Incident Response Team spotted another cluster of malicious activity related to the flaw. As with the first incident, the attacker initially created a local user account from a suspicious IP address. But this time around, the threat actor took several additional malicious actions including dropping the implant for arbitrary command injection.

"For the implant to become activity, the Web server must be restarted," Cisco Talos said. "In at least one observed case the server was not restarted so the implant never became active despite being installed," Cisco noted. The implant itself is not persistent, meaning that an organization can get rid of it via device reboot.

However, the local user accounts that attackers can create via CVE-2023-20198 are persistent and give attackers continued administrator level access on affected systems even after a device restart. Cisco Talos researchers urged organizations to be on the lookout for new or unexplained users on IOS XE devices as potential evidence that attackers have exploited the flaw. They also provided a command that organizations can use to determine if the implant is present on any affected device.

Immediately Implement Guidance

"We strongly recommend organizations that may be affected by the activity immediately implement the guidance outline in Cisco's Product Security Incident Response Team (PSIRT) advisory," the company said. Cisco has assessed the same threat actor is behind both clusters of malicious activity related to the new flaw.

Cisco IOS XE's Web UI component is a system management feature that allows administrators to provide the system. Cisco describes it as simplifying system deployment and manageability. CVE-2023-20198 is the second significant vulnerability that Cisco has disclosed in the same feature in recent weeks. In September, the company disclosed CVE-2023-20231, a command injection vulnerability that also allowed an attacker to obtain level 15 privileges on IOS XE devices.

Zero-day bugs — and any bugs that enable administrator level privileges — on network technologies such as those from Cisco are especially valuable for attackers. As the US Cybersecurity and Infrastructure Security Agency (CISA) and numerous others have noted, network routers switches, firewalls, load balancers, and other similar technologies are ideal targets because most or all traffic must flow through them.