Advisory ID: NCC-CSIRT-201023-039
Summary: Security experts at VulnCheck have identified a severe zero-day vulnerability in CISCO devices utilizing the IOS XE software. This vulnerability has been actively exploited by an unidentified threat actor to establish unauthorized access to susceptible networks. A successful exploitation of this vulnerability grants the threat actor the ability to remotely execute commands at the core levels of compromised devices, including the system and iOS layers.
Threat Type(s): Vulnerability, and Man-in-the-middle attack
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Cisco Switch, Router, or Wireless LAN Controller.
Platform(s): Web User Interface of Cisco IOS XE Software
Version(s): All Versions
Description: As per the findings of the researchers, Cisco devices, both physical and virtual, running Cisco IOS XE software and having the HTTP or HTTPS Server feature enabled are susceptible to the identified exploit. Furthermore, as stated by Cisco's Talos security team, successfully exploiting this critical zero-day vulnerability permits an attacker to establish an account on the impacted device with Privileged EXEC mode (equivalent to Privilege level 15 access). Privileged EXEC mode in Cisco IOS grants full control over the compromised device, potentially enabling unauthorized actions. Subsequently, the attacker can employ this account to take command of the affected system.
Consequences: Having privileged access on the IOS XE potentially enables attackers to observe network traffic, infiltrate secured networks, and execute various man-in-the-middle attacks.
Solution:
- Cisco users should disable the HTTP/HTTPS server feature on all internet-facing devices.
- Cisco users should safeguard their devices by applying an interim solution to prevent vulnerable devices from exploitation. Look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat. Cisco advised running the following command against the device to identify if the implant is present: curl ‘-k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"’
- Users should conduct comprehensive scans to identify any instances of devices being compromised. An open-source tool made available by VulnCheck to scan for the malicious implant accessible via the following link: https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner
References:
https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/
https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
https://www.securityweek.com/tens-of-thousands-of-cisco-devices-hacked-via-zero-day-vulnerability/
https://www.securityweek.com/cisco-devices-hacked-via-ios-xe-zero-day-vulnerability/
https://www.infosecurity-magazine.com/news/cisco-critical-vulnerability-ios/
https://news.hitb.org/content/actively-exploited-cisco-0-day-maximum-10-severity-gives-full-network-control