Cisco is warning of a highly critical authentication vulnerability in its IOS XE software. It allows hackers to gain full admin privileges, taking over entire systems remotely.
Cisco discovered the highly critical vulnerability CVE-2023-20198 in its IOS XE operating system in late September. Through this vulnerability, hackers can easily take over Internet-connected devices, such as routers and switches, remotely.
The authentication bypass zero-day vulnerability allows hackers to gain admin privileges at the level 15 level. This then gives them complete control over the affected devices, allowing them to engage in more unauthorized activities.
The Cisco Technical Assistance Center (TAC) detected the vulnerability after unusual behaviour was observed on a customer device. The hackers managed to create a local user account from a suspicious IP address using an authorized user account.
A little later, a “cisco_support” account was created from a second suspicious IP address. The hackers also installed a malicious implant for running arbitrary commands at the system or IOS level.
Cisco indicates that the very critical CVE-2023-20198 vulnerability affects only those devices that have the Web UI enabled. In doing so, they must also have the HTTP or HTTPS server feature checked.
Solution still expected
The tech giant is currently still working on a fix. In the meantime, users should turn off the HTTP server feature on devices connected to the Internet. Cisco recommends saving this setting afterward so that in the event of a reload, the HTTP server feature is not turned on again.
Other recommendations include checking the configuration and file system for signs of compromise and checking any syslog messages for suspicious traffic flows (see malicious IP addresses). Administrators should also consider rebooting the affected devices since the potentially attached Web shell is not persistent.
The vulnerability is not the only IOS XE vulnerability Cisco has encountered this year. Earlier in September, the tech giant warned its customers about the zero-day CVE-2023-20109 vulnerability for IOS and the IOS XE software.