Cisco patches IOS XE vulnerabilities actively being exploited

Cisco has released fixes to address two vulnerabilities - CVE-2023-20198 and CVE-2023-20273 - that hackers exploited to compromise tens of thousands of IOS XE devices.

CVE-2023-20198 could allow a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. CVE-2023-20198 has been assigned a CVSS Score of 10.0.

CVE-2023-20273 could enable a remote, authenticated attacker to inject arbitrary commands as the root user. CVE-2023-20273 has been assigned a CVSS Score of 7.2.

The UK National Cyber Security Centre (NCSC) urged organisations to mitigate the Cisco IOS XE vulnerabilities and follow vendor best practices. The NCSC said it is working with UK organisations known to be impacted and has notified affected business signed up for the NCSC Early Warning service.

Vulnerabilities affect Cisco IOS XE Software if web UI feature is enabled

CVE-2023-20198 and CVE-2023-20273 affect Cisco IOS XE Software if the web UI feature is enabled, Cisco said in its advisory. The web UI is an embedded GUI-based system-management tool that provides the ability to provision the system, to simplify system deployment and manageability, and to enhance the user experience. The web UI feature is enabled through the ip http server or ip http secure-server commands.

"Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses," the company wrote. "To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode." If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature, Cisco added.

The following decision tree can be used to help determine how to triage an environment and deploy protections, according to Cisco:

Are you running IOS XE?

• No. The system is not vulnerable. No further action is necessary.
• Yes. Is ip http server or ip http secure-server configured?
  • No. The vulnerabilities are not exploitable. No further action is necessary.
  • Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
    • No. Disable the HTTP Server feature.
    • Yes. If possible, restrict access to those services to trusted networks.

Several Cisco bugs discovered recently

Cisco has had a busy last two months with six high-to-critical level exploits found in its systems.

CVE-2023-20198, the bug that allows unauthenticated users to create an account on the affected system with “level 15” privileges, was itself discovered by the company while resolving TAC support cases because of an existing detection rule for an older vulnerability, CVE-2021-1435.

As per the Cisco advisory, there are no workarounds available for the vulnerability and the only recommendation the company provided is to disable the HTTP Server feature on all internet-facing systems until the patches are deployed.

As for indicators-of-compromise, the company has advised users to look for new or unknown usernames present in the configuration messages, generated each time the Web UI feature is accessed.

Cisco, on October 19, confirmed another high severity (CVSS 7.5) HTTP/2 Rapid Reset vulnerability, CVE-2023-44487, which was collectively reported last week by Google, Amazon AWS, and Cloudflare to have zero-day exploits. The vulnerability allows exploiting a weak HTTP/2 protocol to generate enormous Distributed Denial of Service (DDoS) attacks.