Are you vulnerable to this unpatched Cisco zero-day?

Summary

CVE-2023-20198 is a recently disclosed Critical Privilege Escalation vulnerability with active exploitation. It is one of the few vulnerabilities which has been disclosed by Cisco with a CVSS score of 10, the highest possible score. The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, the highest level. Using this account, the attacker is able to gain control of the affected system.

Impact Assessment

The vulnerability affects Cisco IOS XE Software if the web UI feature is enabled using the “ip http server” or “ip http secure-server” commands. This vulnerability is devastating to any organization using the Cisco IOS XE Software on their Cisco devices, it allows a full take-over of the device and in turn the network.

What it means for you

Any organization which has the Cisco IOS XE Software web UI can and will be subject to an attack on their device(s). There have already been over 10000 Cisco devices which have been backdoored using this vulnerability, allowing a threat actor to remote execute commands at system or OS levels.

Check the following document for all Cisco Router models which have support for Cisco IOS XE:

Cisco Router Models and IOS Software Releases

Remediation

According to Cisco there are no workarounds or patches available yet to remediate.

They have provided recommendations in the form of a decision tree to help determine how to triage and deploy protections to your environment:

Are you running IOS XE?

1. No. The system is not vulnerable. No further action is necessary.
2. Yes. Is ip http server or ip http secure-server configured?
   1. No. The vulnerability is not exploitable. No further action is necessary.
   2. Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
      1. No. Disable the HTTP Server feature.
      2. Yes. If possible, restrict access to those services to trusted networks.

Cisco also states that: “We assess with high confidence, based on further understanding of the exploit, that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation.”

Business Implications

Exploitation of this vulnerability can cause financial loss, reputation loss, and data loss. Data exfiltration is a high possibility along with malware installation. There will have to be an incident response as well as having to lock down any and all devices connected to the affected Cisco product which can halt day-to-day operations. The potential pitfalls which can arise from not patching this vulnerability which could affect the business are countless.

Access Point Technology Recommends

1. Review: Identify which network devices your organization uses and determine if they are vulnerable to this vulnerability.
2. Triage and Deploy protections: After determining if your organization uses any devices which are vulnerable follow the decision tree above to determine how to respond.
3. Stay up to date: Keep track of this vulnerability’s security advisory and patch or apply workarounds immediately when there is one available.

Associated Bulletins

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/

https://thehackernews.com/2023/10/warning-unpatched-cisco-zero-day.html