Actively Exploited Zero-Day Bug in Cisco IOS XE Gives Attackers Total Admin Access to Affected Devices

Image source: Shutterstock

Cisco recommends that customers immediately disable HTTPS Server feature on all Internet-facing devices running the operating system till a fix or other workaround becomes available.

An unknown threat actor is actively exploiting a zero-day vulnerability in the web user interface of Cisco’s IOS XE operating system to drop an implant for arbitrary code execution on affected systems.

Maximum Severity Bug

The vulnerability, identified as CVE-2023-20198, is present in the web IOS XE’s web user interface. It has a maximum severity rating of 10.0 on the CVSS scale. It enables privilege escalation and gives attackers a way to take complete administrator level control on affected systems.

“Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity,” Cisco said.

A patch for the flaw is not available yet, and neither are any workarounds, so the only way to protect against it at the moment is to disable the HTTPS Server feature in Internet-facing IOS XE devices. “This is a critical vulnerability, and we strongly recommend affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory,” the company said.

Attack Chain Includes Previously Patched Bug

Cisco researchers discovered the flaw on September 28 while investigating unusual activity on a customer device. In that incident, the attacker exploited CVE-2023-20198 to set up a local user account on the vulnerable system under the name “ciso_tac_admin” but appeared to take no further steps after that.

On October 12, Cisco researchers observed a fresh cluster of malicious activity targeting CVE-2023-20198. In these attacks, the threat actor once again used the vulnerability to create an unauthorized user account on affected systems, this time under the username “cisco-support”. The attacker then leveraged a second, already patched command injection bug from March 2021, identified as CVE-2021-1435. to drop a 29-line implant coded in the Lua programing language. The implant facilitated execution of arbitrary code on the system.

Cisco’s analysis showed the threat actor was able to deliver the implant even on systems fully patched against CVE-2021-1435. Cisco said its researchers have not yet been able to determine what mechanism the threat actor use to bypass the company’s patch for CVE-2021-1435.

The implant becomes activity only if the web server is restarted. It is also not persistent meaning organizations can get rid of it via a device restart. But the unauthorized local accounts that an actor can create via CVE-2023-20198 can persist through device reboots.

Same Threat Actor

“We assess that these clusters were likely created by the same actor,” Cisco said. Both clusters appeared close together, with the October activity appearing to build off the September activity.” The vendor surmised that the first attack was about the attacker testing the malicious code and the second cluster was more about the threat actor expanding operations to establish persistent access.

Cisco recommends that organizations check for unexplained or newly created user accounts on their IOS XE devices because that could indicate malicious activity tied to the vulnerability.

The company has also provided a command that organizations can use to verify if the implant is present on their devices:

curl -k -X POST “https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1” 

“DEVICEIP” is a placeholder for the IP address of the device to check, Cisco said.