Cisco warned Monday that hackers are targeting a line of its software via a previously unknown vulnerability.
In addition to publishing a advisory about the issue — which is being tracked as CVE-2023-20198 —- the company’s Talos security team published a report describing how it discovered the critical vulnerability.
The vulnerability carries the highest possible CVSS severity score of 10, and Cisco said it “would grant an attacker full administrator privileges, allowing them to effectively take full control of the affected router and allow possible subsequent unauthorized activities.
CVE-2023-20198 was found in a feature of Cisco IOS XE Software and affects both physical and virtual devices running the software. The feature, called Web UI, aims to simplify deployment, management and user experience.
To address this issue, Cisco urged its customers to disable HTTP server functionality on all Internet-connected systems and noted that the Cybersecurity and Infrastructure Security Agency (CISA) repeatedly issued the same advice to mitigate risks associated with management interfaces exposed to the Internet. CISA has published its own warning on the vulnerability Monday.
There is no workaround to resolve the issue and no fix is available yet.
Thanks to this vulnerability, hackers can create an account on the affected device and take full control of it.
The vulnerability was discovered while resolving several Cisco Technical Assistance Center support cases in which customers were compromised. The first situation was discovered on September 28. After investigating, Cisco researchers said they found activity related to the bug dating back to September 18.
Cisco Talos incident response teams noticed activity related to the issue last Thursday and issued the advisory on Monday. The company said it had processed “a very small number of cases compared to our normal substantial daily volume.”
“We believe that these groups of activities were likely led by the same actor. The two clusters appeared close to each other, with October activity appearing to build on September activity,” they said.
“The first cluster may have been the actor’s initial attempt to test its code, while October activity appears to show that the actor was expanding its operations to include establishing persistent access via deployment of the implant.”
After exploiting the new vulnerability, the hackers turned their attention to a two-year-old bug — CVE-2021-1435 — which allowed them to install an implant on the affected device. They noted that even devices patched against the old vulnerability had implants installed “via an as-yet undetermined mechanism.”
Users of products with the software should be on the lookout for “unexplained or newly created users on devices as evidence of potentially malicious activity related to this threat.”
Several researchers, including Viakoo Labs Vice President John Gallagher, have linked the vulnerability to another affecting the same software this was announced on October 2.
Gallagher said the vulnerability is a reminder that administrators “need detailed information about their systems in cases like this where no patch is available.”
Mayuresh Dani, threat research manager at Qualys, noted that Cisco did not provide a list of affected devices, meaning any switch, router, or wireless LAN controller running IOS (UI) exposed to the Internet is vulnerable.
“Based on my research using Shodan, there are approximately 40,000 Cisco devices that have their web UI exposed to the Internet,” Dani said, reiterating Cisco’s advice that users should ensure devices are not not exposed to the Internet or disable the web UI component on these devices. devices.
Future saved
Intelligence cloud.
No previous articles
No new articles
Jonathan Greig
Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.