Cisco pushes update to stop exploitation of two IOS XE zero-days

Cisco has released free software updates to address two vulnerabilities affecting the web user interface (UI) feature of its IOS XE software, which are now available via the Cisco Software Download Centre.

The updates protect against an exploitation of CVE-2023-20198, first disclosed earlier in October, that as previously reported, enabled an undisclosed, remote, unauthenticated attacker to set up an account on a vulnerable system.

However, further to our previous reporting, it is now known the threat actor in question also exploited a second vulnerability, which is now being tracked as CVE-2023-20273, that exploits another component of the web UI feature and enables the newly created local user to elevate privileges to root level, and thus write a malicious implant to the victims’ system.

It had been thought the threat actor had been exploiting an older flaw dating to 2021 to do this, but Cisco now says this is not the case.

Cisco is still advising customers running IOS XE to apply the updates, but also to disable the HTTP Server feature on all internet-facing systems, or restrict access to trusted source addresses. “Cisco is committed to transparency,” said a Cisco spokesperson. “When critical security issues arise, we handle them as a matter of top priority, so our customers understand the issues and know how to address them.

“On October 16 we published a security advisory informing customers about active exploitation of a previously unknown vulnerability, urging them to take immediate action to keep them safe. Through ongoing investigation, we uncovered that the attacker combined two vulnerabilities to bypass security measures – the first for initial access and the second to elevate privilege once authenticated.

“We have now identified a fix that covers both vulnerabilities and estimate initial releases will be available to customers starting October 22,” they said. “However, there are actions customers can take immediately. We strongly urge customers to take these immediate actions as further outlined in our updated security advisory and Talos blog.”

Mystery surrounds sudden fall in compromised device volumes

Researchers tracking the exploitation of the two zero-days had at first observed that known compromises of vulnerable systems seemed to be rising at a significant rate.

However, as initially reported by Bleeping Computer, over the weekend of 21 and 22 October 2023, the number of compromised devices on which the malicious implant had been installed dropped rapidly from many tens of thousands to as few as a couple of hundred, depending on whose data you read.

Researchers at Onyphe said they still saw “roughly” the same number of vulnerable devices online, but the majority of them now contained no evidence of the implant.

They suggested the most likely explanation was that the attackers have taken steps to cover their tracks or have moved onto another stage of their exploit chain that has not yet been spotted.

There is also an outside chance the threat actors have botched their operation, or that an ethical hacker has been conducting their own cleanup operation, but these theories are thought to be less likely.