Image source: Shutterstock
Company’s investigation shows attackers actually leveraged two previously unknown bugs, not one, as assumed.
There are two important new developments around CVE-2023-20198, the widely exploited zero-day bug in the web UI of Cisco’s IOS EX software.
Two 0-Day Bugs, Not One
The first is, Cisco’s investigation into the recent widespread attacks targeting a zero-day bug in its IOS XE software (CVE-2023-20198) has unearthed a second, previously unknown bug in the operating system. The company has assigned the vulnerability as CVE-2023-20273 and given it a medium severity rating of 7.2 on 10 on the CVSS scale.
Patch is Ready
The second and perhaps more important update is that Cisco has developed a patch for both issues. The company will start rolling out fixed versions of IOS XE on Sunday, October 22, 2023. “A fix has been identified and the build, test, and release process has been initiated,” Cisco said in an update Friday. “The first fixed software releases are estimated to post on Cisco Software Download Center on Sunday, 22 October 2023.”
According to Cisco the company’s investigation into the attacks involving CVE-2023-20198 showed the attack chain actually involved a second previously unknown issue as well.
The first was the maximum severity zero-day bug that Cisco disclosed on October 16 (CVE-2023-20198). That vulnerability, in the web UI of IOS XE, gave attackers a way to gain initial access on affected systems. The attacker used the access to issue a privilege level 15 command to create a local user and password combination.
After logging in with normal user access the attacker then exploited CVE-2023-20273 (the new bug that Cisco disclosed Oct. 20) to elevate privilege to root and write an implant to the file system.
In its original, October 16th advisory, Cisco had described the implant as written in the Lua programming language and enabling the attacker to execute arbitrary commands on affected systems. At the time the company said it believed the attackers were dropping the implant by leveraging CVE-2021-1435, a patched, command-injection flaw in the web UI of IOS XE from 2021.
It was not immediately clear from Cisco’s update on Friday, whether the company still thinks CVE-2021-1435 is part of the attack chain, now that it has discovered the second zero-day bug (CVE-2023-20273).
Tens of Thousands of Compromised Systems
By way of background/context: Cisco disclosed CVE-2023-20198 on October 16 with a warning about an attacker actively exploiting the flaw to create administrator accounts on affected IOS XE devices and dropping a backdoor on them. Several vendors have since then reported widespread attacks targeting the flaw. By some estimates, the attacker compromised over 40,000 Internet exposed devices via the flaw.
According to Internet monitoring firm Censys, as of October 19, the number of systems compromised via CVE-2023-20198 was around 36,540—or about 5,000 less than a day ago.