Cisco identifies another IOS XE vulnerability, with patches coming this weekend

Cisco has identified a second issue connected to a popular software line after security experts raised concerns throughout the week about thousands of potential victims affected by a zero-day bug.

Earlier this week, Cisco released an advisory and a detailed blog post about CVE-2023-20198 — warning defenders that it carries the highest severity CVSS score possible of 10 and was being exploited by hackers. A patch was not available to address the issue, and Cisco urged customers to make sure that affected devices were not accessible from the internet.

In a statement to Recorded Future News on Friday, the tech giant said a patch would be available for the issue on Sunday.

The company also addressed a specific issue raised in the blog that had caused alarm among experts. Cisco initially said that during attacks involving the vulnerability, their incident responders observed hackers also exploiting CVE-2021-1435, which Cisco had patched in 2021.

Devices fully patched against that bug were seen infected by implants successfully installed “through an as of yet undetermined mechanism.”

Cisco updated its advisory on CVE-2023-20198 to include a new vulnerability — tracked as CVE-2023-20273 — that addresses this specific issue. They updated the blog to explain that the patch coming on Sunday will address both bugs. They added that the CVE-2021-1435, the vulnerability patched in 2021, “is no longer assessed to be associated with this activity.”

“On October 16 we published a security advisory informing customers about active exploitation of a previously unknown vulnerability, urging them to take immediate action to keep them safe. Through ongoing investigation, we uncovered the attacker combined two vulnerabilities to bypass security measures (the first for initial access and the second to elevate privilege once authenticated),” a spokesperson said.

“We have now identified a fix that covers both vulnerabilities.” The issue affects Cisco routers, switches, access points, wireless controllers and more.

Josh Foster, technical manager at cyber defense company Horizon3.ai, told Recorded Future News that hackers exploiting the bug are able to monitor network traffic; eavesdrop on privileged network communications; inject and redirect network traffic; breach protected network segments, and use the compromised device as a “persistent beachhead to the network as there is a lack of detection/protection solutions for these devices and they can often go overlooked during patch-cycles until a disruption to user activity is noticed.”

Foster outlined a range of short- and long-term options victims have for addressing the issue in a blog on Friday.

36,541 compromises

The vulnerability, which grants an attacker full administrator privileges and allows them to effectively take full control of an affected router, left defenders scrambling all week.

Several security companies said they found thousands of exposed and compromised devices online. Research firm Censys identified 41,983 infected hosts on October 18. That number had dropped to 36,541 by Thursday. VulnCheck published a scanner that can be used to find implanted systems on the internet.

CERT Orange Cyberdefense said it found over 34,500 Cisco IOS XE IPs compromised by CVE-2023-20198 with implants.

Another company, GreyNoise, confirmed that more than 40,000 Cisco IOS devices had their web admin interfaces exposed to the internet and fell victim to the latest round of implant attacks.

“Cisco buried the lede by not mentioning thousands of internet-facing IOS XE systems have been implanted,” VulnCheck’s Jacob Baines said earlier this week

“VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.”

Cisco said it has been observing attacks since September 28 and a spokesperson reiterated its advice that customers should disable the HTTP server feature on internet-facing devices while a patch is worked on.

Experts with the cybersecurity company Rapid7 said they are currently responding to multiple incidents involving the vulnerability.

The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its list of exploited bugs and gave federal civilian agencies until Friday to verify that instances of Cisco IOS XE Web UI are not exposed to the internet.

CISA urged government agencies to “follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.”

Earlier this month, Cisco released an advisory of another vulnerability affecting the same software.