Summary
CVE-2023-20273 is a vulnerability used in conjunction with CVE-2023-20198, a vulnerability we reported last week. It was found by Cisco that threat actors exploited these two issues by first using CVE-2023-20198 to gain initial access to escalate privilege to the highest level in the application to create a local user and password combination. With this local user account created, the attacker than leveraged CVE-2023-20273 to elevate privilege even further to root level and write to the file system.
Impact Assessment
The vulnerability affects Cisco IOS XE Software if the web UI feature is enabled using the “ip http server” or “ip http secure-server” commands. This vulnerability is devastating to any organization using the Cisco IOS XE Software on their Cisco devices. It allows the attacker to obtain root privileges on the device. This level of privilege falls just short of having the device physically with the attacker, allowing for a myriad of consequences if the vulnerabilities are exploited.
What it means for you
Any organization that has the Cisco IOS XE Software web UI with HTTP server enabled is subject to an attack on their device(s). There have already been over 10,000 Cisco devices that have been compromised using this vulnerability, allowing a threat actor to remote-execute commands at root level.
Check the following document for all Cisco Router models which have support for Cisco IOS XE:
Cisco Router Models and IOS Software Releases
Remediation
According to Cisco, they are now rolling out updates for these vulnerabilities as per this advisory. Monitor the page for affected devices and to see whether an update has been released for your hardware. Only IOT Routing, IOT Switching, and Routing/SDWAN type devices have received updates so far. Additional updates are expected to be made available for Switching, Wireless, SP Access, and Pre -Aggregation Router type devices later today, 10/23.
If you use Cisco, enroll in the My Notifications service to get notified immediately when updates to Cisco bug ID CSCwh87343 are made available.
Business Implications
Exploitation of this vulnerability can cause financial loss, reputation loss, and data loss. Data exfiltration is a high possibility along with malware installation. There will have to be an incident response as well as having to lock down all devices connected to the affected Cisco product which can halt day-to-day operations. The potential pitfalls which can arise from not patching this vulnerability which could affect business operations are countless.
Access Point Technology Recommends
- Identify which network devices your organization uses and determine if they are vulnerable to this vulnerability.
- Check for updates and patch: After determining if your organization uses any devices which are vulnerable follow this advisory and or enroll in the Cisco notifications service to check for updates for your devices and patch.
- Follow vendor recommendations: Cisco recommends disabling the HTTP Server feature on all internet-facing systems or restrict access to trusted source addresses.
Associated Bulletins
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html
.webp)
.png)
