Cisco has remedied two vulnerabilities (CVE-2023-20198 and CVE-2023-20273) that were recently exploited by a threat actor to breach a multitude of IOS XE devices. Over the past week, these vulnerabilities were used as zero-days to compromise more than 50,000 Cisco IOS XE hosts. Following the security incident, Cisco has made the first fixed software release available through its Software Download Center. At present, the initial fixed release is 17.9.4a, with undisclosed dates for future updates.
Both vulnerabilities, collectively known as CSCwh87343, are located in the web UI of Cisco devices running the IOS XE software. CVE-2023-20198 carries the maximum severity rating of 10/10, while CVE-2023-20273 has a high severity score of 7.2. The threat actor exploited the critical flaw to obtain initial access to the device and then issued a 'privilege 15 command' to establish a regular local account.
In Cisco devices, command permissions are tiered from zero to 15, with zero offering five basic commands and 15 being the most privileged level, providing full control over the device. The attacker used CVE-2023-20273 to elevate the privileges of the newly created local user to root and introduced a malicious script into the file system. The implant, however, does not persist and will be removed upon a system reboot.
Cisco warns that the vulnerabilities can be exploited if the device's web UI (HTTP Server) feature is activated, which can be done through the 'ip http server' or 'ip http secure-server' commands. Administrators can verify if the feature is active by running the 'show running-config | include ip http server|secure|active' command to check the global configuration for the 'ip http server' or the 'ip http secure-server' commands. 'The presence of either command or both commands in the system configuration indicates that the web UI feature is enabled' - Cisco.
When Cisco disclosed CVE-2023-20198 on October 16 as a zero-day exploited in the wild, security researchers began searching for compromised devices. Initial estimates suggested that around 10,000 Cisco IOS XE vulnerable devices had been infected by Tuesday. The number rapidly escalated to over 40,000 as more researchers joined the hunt. On October 20, Cisco disclosed the second zero-day being exploited in the same campaign to gain full control of systems running the IOS XE software. However, over the weekend, researchers noticed a significant decrease in the number of hacked Cisco IOS XE hosts using the two zero-day vulnerabilities, dropping from roughly 60,000 to a few hundred. The cause of this sudden drop remains unclear, with speculation suggesting that the attacker may have deployed an update to conceal their activity and the malicious implants are no longer detectable in scans.
Piotr Kijewski, the CEO of The Shadowserver Foundation, reported a sharp decline in implants since October 21 to just 107 devices. The sudden decrease could also be attributed to a grey-hat hacker automatically rebooting infected devices to remove the malicious implant. The definitive cause will remain unknown until Cisco completes its investigation and releases a public report, or other security researchers analyze a breached Cisco IOS XE system and arrive at a conclusion.