CVE-2023-20198 Cisco XE OS Compromise
Signup for MixMode Threat Briefings
Author
Jeremy’s cybersecurity path began at Symantec and continued at Sana Security, where he pioneered the use of Machine Learning against cyber threats such as Nimda and Stuxnet. He furthered his influence by forming international teams and securing patents at vArmour networks, PayPal, and eBay, later advancing PayPal’s eCrime initiatives. Now at MixMode, he’s delving into AI’s impact on cybersecurity. Also an author, artist, and musician, Jeremy’s diverse talents underscore his substantial contribution to the cybersecurity industry.
threat: Critical 10 CISCO OS COmpromise
MixMode Threat BRIEF: CVE-2023-20198 Cisco XE OS Compromise
On Monday, October 16, 2023 an actively exploited zero-day vulnerability was disclosed that received the highest Common Vulnerability Scoring System (CVSS) score (10/critical).
Cisco has recently uncovered an active exploitation of a previously undisclosed vulnerability within the Web User Interface (Web UI) feature of Cisco IOS XE software, designated as CVE-2023-20198, particularly when it’s exposed to the internet or untrusted networks. This vulnerability impacts both physical and virtual devices that run Cisco IOS XE software and have the HTTP or HTTPS Server feature enabled. The successful exploitation of this vulnerability effectively hands them complete control over the compromised device.
In response to this critical issue, Cisco has advised in its security advisory that disabling the HTTP/S server feature on internet-facing systems is not only in line with industry best practices but also aligns with guidance previously offered by the U.S. government to mitigate risks stemming from internet-exposed management interfaces.
Cisco’s support centers have closely collaborated with their security team, employing various methods and procedures to identify and correlate similar indicators. This was conducted, albeit in a very small number of cases, amidst their typically substantial daily case volume.
Given the severity of this vulnerability, it is of utmost importance that affected organizations promptly implement the recommended measures detailed in Cisco’s PSIRT advisory to safeguard their systems and networks.
Attacker Details
While the identity of the attackers remains a mystery, several concerning details have come to light. Two ‘in the wild’ indicators have been observed by the Talos Intelligence team, 5.149.249[.]74 and 154.53.56[.]231. While an appropriate amount of skepticism must always be applied during hunting or investigation, according to OSINT repositories the following data appears to be true:
- The first IP address is located out of the Netherlands, and it is assumed to be a compromised third-party host. This IP address hosts a number of websites, many of them adult-oriented and considered not safe for work.
Netherlands
North Holland
Amsterdam
Hostzealot LTD
AS59711 HZ Hosting Ltd
- The second IP address is located in Seattle Washington at the hosting provider Nubes, LLC. Looking at ASN40021 it appears this provider hosts a number of websites with associations to Bolivian TLDs (.bo)
It is critical to understand this is not an indictment of any particular host, hosting provider, or business. The likelihood is high that the external pivot points are in fact compromised machines. The overall reputation of the IPs and ASNs associated with this campaign is generally positive.
References
Initial disclosure: https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
MixMode’s Analysis
The simplicity of this attack is what makes it incredibly dangerous. This exploit is straightforward to detect if operators and administrators know to look for it, and a needle-in-a-haystack if one does not. As general guidance, monitor all external traffic to management ports for all critical infrastructure with MixMode and a combination of sensors. Pay close attention to the geographic spread of connections to management interfaces. And it is considered exceptionally risky to allow any access to management interfaces from external machines let alone unencrypted HTTP connections. Though in the case of this CVE encryption does not mitigate the attack.
Management interfaces for core infrastructure are among the ‘crown jewels’ in IT infrastructure. The utmost care must be taken at all times to determine if they are being abused for any reason.
About MixMode
MixMode’s patented, self-supervised learning Platform is designed to detect known and unknown threats like this in real-time across cloud, hybrid, or on-prem environments. Large enterprises with big data environments, including global entities in financial services, fortune 1K commercial enterprises, critical infrastructure, and government sectors, trust MixMode to protect their most critical assets.