Image source: : Shutterstock
One security vendor says adversary has used bug to infect thousands of IOS XE devices with an implant for remote code execution.
Organizations can protect against the zero-day bug that Cisco disclosed in its IOS XE operating system Monday by restricting access to its HTTP Server feature from untrusted hosts and networks.
That was Cisco’s advice Tuesday as it continued to work on a patch amid one vendor report about a threat actor already having potentially compromised thousands of systems via the flaw. “We assess with high confidence, based on further understanding of the exploit, that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation,” Cisco said in an updated security advisory.
The zero-day vulnerability (CVE-2023-20198) has a severity score of 10—the maximum possible—on the CVSS scale and is present in the web UI of IOS XE. Cisco said it has already investigated multiple incidents where a threat actor exploited the flaw to gain initial access to an affected system and create local user accounts with administrator level (level 15) access on IOS XE devices.
The adversary then dropped an implant on the compromised devices that facilitates arbitrary code execution. As part of the attack chain, the threat actor has leveraged a previously patched vulnerability in IOS XE from 2021 (CVE-2021-1435) to drop the implant, Cisco said. The company is still trying to figure out how exactly the attacker has been able to bypass the patch for the 2021 flaw.
Widespread Infections
Security vendor VulnCheck said a Shodan search showed thousands of Internet-connected IOS XE devices with the implant on them. “Cisco buried the lede by not mentioning thousands of Internet-facing IOS XE systems have been implanted,” VulnCheck said on its blog. “This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.”
VulnCheck has released a scanner that organizations can use to find implanted systems on the Internet. The company urged organizations using affected systems to immediately look for signs of compromise on their devices and to take appropriate remedial measures if they have been compromised.
The implant only gets activated if the web server is restarted. Otherwise, it remains dormant even if installed on a system. Cisco itself has described the implant as non-persistent. An organization can get rid of it by restarting their system. However, any local user accounts that a threat actor creates on an affected system will be persistent through reboots and will need to be removed. Cisco has provided a command with its advisory that organizations can use to quickly discover if their system has the implant.