CVE-2023-20273: Cisco IOS XE Zero-Day Vulnerability
On October 20, 2023, Cisco disclosed a new high-severity zero-day vulnerability (CVE-2023-20273) that is actively being exploited to deploy malicious implants on IOS XE devices. This vulnerability is chained with another zero-day vulnerability (CVE-2023-20198) that was disclosed earlier this week.
What is CVE-2023-20273?
CVE-2023-20273 is a privilege escalation vulnerability in the Web UI feature of Cisco IOS XE devices. It allows an attacker who has already compromised the device to gain root access and take complete control.
How is CVE-2023-20273 being exploited?
- Initial Breach via CVE-2023-20198: The first vulnerability in this chain, CVE-2023-20198, was revealed earlier last week and is a ticking time bomb. Rated 10 on the Common Vulnerability Scoring System (CVSS) – the highest possible score – it permits attackers to infiltrate IOS XE devices with full administrative powers. This is as bad as it sounds, handing attackers the keys to the kingdom.
- The Second Strike – CVE-2023-20273: After compromising the device through CVE-2023-20198, attackers don’t stop there. They utilize another vulnerability in the Web UI feature, allowing them to install a malicious implant. This implant grants the attacker the ability to execute any command with root privileges, solidifying their control over the device. With such control, the attacker writes the implant to the system. This vulnerability, while not as severe as its predecessor, still garners a high CVSS score of 7.2.
What’s commendable here is Cisco’s proactive approach. The company detected the CVE-2023-20273 exploitation using their in-built protections, showcasing the power of in-depth security measures.
What’s commendable here is Cisco’s proactive approach. The company detected the CVE-2023-20273 exploitation using their in-built protections, showcasing the power of in-depth security measures.
What is the impact of CVE-2023-20273?
CVE-2023-20273 can allow an attacker to take complete control of a Cisco IOS XE device. This could allow the attacker to steal data, disrupt operations, or even launch attacks against other devices on the network.
What can I do to protect myself from CVE-2023-20273 and CVE-2023-20198?
Fortunately, Cisco has identified fixes for both vulnerabilities and plans to release them to their clientele via the Cisco Software Download Center. The slated release date is October 22, just around the corner.
In an official statement, Cisco clarified, “Fixes for both CVE-2023-20198 and CVE-2023-20273 are estimated to be available on October 22. The CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity.”
| Cisco IOS XE Software Release Train | First Fixed Release | Available |
|---|---|---|
| 17.9 | 17.9.4a | Yes |
| 17.6 | 17.6.6a | TBD |
| 17.3 | 17.3.8a | TBD |
| 16.12 (Catalyst 3650 and 3850 only) | 16.12.10a | TBD |
If you are unable to apply the fix immediately, Cisco recommends that you disable the vulnerable HTTP server feature on all internet-facing systems. You should also look for suspicious or recently created user accounts as potential indicators of malicious activity associated with these ongoing attacks.
How can I detect if my device is compromised?
One way to detect the malicious implant on compromised Cisco IOS XE devices is to run the following command on the device:
curl -k -X POST “https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1”
If the command returns a response, then the device is likely compromised.
