Threat Alert: CVE-2023-20198 and CVE-2023-20273
Cisco Zero Day Vulnerabilities
On 10.16.2023, a Cisco zero-day vulnerability, CVE-2023-20198, was disclosed with a severity rating of ten out of ten, present on the Web UI component of IOS XE. This exploit has reportedly allowed threat actors to compromise over 10,000 Cisco devices to date.
It was initially believed the attackers were exploiting CVE-2021-1435, an older IOS XE command injection, to deploy a Lua-based implant that enabled execution of arbitrary commands. However, this attack was detected on patched systems, which indicated another zero-day was involved.
Earlier today, Cisco reported a second zero-day, CVE-2023-20273, a privilege escalation flaw in the web UI feature that is being used to deliver the implant. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. Privilege level 15 on Cisco devices allows full access to all commands such as reload, as well as the ability to make configuration changes.
Quadrant Security Notes / Recommendations
Patches have been released for both vulnerabilities. Quadrant recommends installing these patches on affected systems and rebooting the device(s). The implant for CVE-2023-20198 is removed after the device is rebooted.
Quadrant also recommends auditing any account creations on the affected systems within the last few weeks for any account created with privilege level 15 access.
Quadrant has created detections based on Cisco’s Indicators of Compromise that check for web login activity to determine if any user credentials have been compromised.