October 17, 2023: Cisco is warning customers that a new zero day vulnerability that is impacting any switch, router, or WLC running its IOS XE software that has the web UI exposed to the internet. CISA has added it to the list of known vulnerabilities, tracked under CVE-2023-20198 and has been given a severity rating of 10/10 on the CVSS (Common Vulnerability Scoring System) scale.
The vulnerability affects Cisco IOS XE Software if the web UI feature is enabled through the ip server or ip http secure-sever commands.
This vulnerability has been found exploited in the wild as a privilege escalation issue with around 30,000 devices found to be infected under the control of threat actors. The vulnerability can be exploited by a remote, unauthenticated attacker that can create an account with the highest privileges (level 15 access) and use it to take control of the device and open access ports for data exfiltration.
While there are no current workarounds that address the vulnerability at this time, users can check systems logs for specific log messages to check for Indicators of Compromise (IoC) if a system has been compromised.
Cisco strongly recommends customers disable the HTTP Server feature on all internet-facing systems. There are also additional steps to take based on what you may be running on your environment:
- Are you running IOS XE?
- The system is not vulnerable – No further action is necessary
- Is ip http server or ip http secure-server configured?
- The vulnerability is not exploitable – No further action is necessary
- Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
- Disable the HTTP Server feature
- If possible, restrict access to those services to trusted networks
SecuLore™ OverWatch provides continuous network monitoring through our patented Paladin technology to detect vulnerabilities in your network and detect anomalous behavior. The technology passively captures all traffic on your network to identify threats that are often missed by other layers of security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
Contact SecuLore for more information to get started with a monitoring option to detect malicious traffic attempting to exploit vulnerabilities on your network security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
SecuLore Support Team