Cisco zero-day bug allows router hijacking and is being actively exploited

Cisco users' weeks have started badly with a warning that a critical zero-day bug in the networking giant's IOS XE software that allows criminals to hijack devices has been exploited in the wild.

The vulnerability, CVE-2023-20198, received a (im)perfect 10 CVSS severity rating from the networking giant, and Cisco is yet to release a patch.

"Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks," the networking giant said in a Monday security advisory.

"This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access," Cisco added. "The attacker can then use that account to gain control of the affected system."

Cisco says the flaw affects physical and virtual devices running its IOS XE software, with the HTTP or HTTPS Server feature turned on. The networking giant hasn’t published a full list of devices that are at risk.

This means "any switch, router or WLC running IOS XE and has the web UI exposed to the internet is vulnerable," Qualys Threat Research Mayuresh Dani told The Register.

According to Dani, based on Shodan searches, around 40,000 devices have web UI exposed to the internet, and "a majority of those are listening on port 80."

Because there's no patch or workaround, Cisco "strongly recommends" that customers disable this feature on all internet-facing systems. This also echoes guidance from the USA’s Cybersecurity and Infrastructure Security Agency on how to mitigate risk from internet-exposed management interfaces.

"To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode," Cisco’s advisory recommends . "If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature."

A Cisco spokesperson declined to comment on how many customers had been compromised or indicate the source of attacks.

"We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory," the spokesperson told The Register. "Cisco will provide an update on the status of our investigation through the security advisory."

Talos IDs two 'clusters' of activity, starting in September

In a separate blog by its Talos team, Cisco's threat intel and incident response team provided more details about how the malicious activity was detected, and the implant code that the intruders used for persistent access.

The first customer report of strange behaviour happened on September 28, according to Talos, although further investigation found related activity from September 18. This included an authorized user creating a local user account named "cisco_tac_admin" from a suspicious IP address.

But aside from the new user account, Cisco's Technical Assistance Center (TAC) didn't spot any other potentially shady activity.

Later, on October 12, Talos and TAC uncovered a similar intrusion: an unauthorized user creating a local user account with the name "cisco_support" from a different suspicious IP address.

In this case, however, the miscreants also deployed an implant that allows them to execute commands at the system or IOS level. While the implant is not persistent, the newly created user accounts with level 15 privileges (aka complete router control) stay active even after system reboots.

Talos says in some cases, the criminals exploited CVE-2021-1435, which Cisco patched two years ago, to install the implant.

"We have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as of yet undetermined mechanism," Cisco’s threat intel team wrote.

Talos suspects the same intruders carried out both the September and the October incidents.

"The first cluster was possibly the actor's initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant," the team reported.

• Routers have been rooted by Chinese spies, US and Japan warn
• Cisco warns of critical flaw in Emergency Responder code
• Chinese snoops stole 60K State Department emails in that Microsoft email heist
• Cisco spends $28B on data cruncher Splunk in cybersecurity push

Today's advisory comes about a month after Cisco sounded the alarm on another bug under exploit in its IOS and IOS XE software, CVE-2023-20109. A Cisco spokesperson told us that "CVE-2023-20109 is not related to the advisory today."

Also last month, the US and Japan warned that Chinese government spies are targeting Cisco routers and using that access to steal sensitive information.

We don't know who is responsible for the CVE-2023-20198 exploits, but "there is a very wide a range of suspects who would want full admin control and ability to perform remote code execution across Cisco devices," John Gallagher, VP of IoT security shop Viakoo Labs, told The Register.

"However, given the breadth of what this vulnerability could represent, it might be a cyber-criminal organization who is establishing themselves with many networks in order to be in position to sell access or control," Gallagher said. "If we see examples of it being exploited in a public way that might been seen as a form of advertising for such an organized crime group." ®