Cisco has released updates to address a pair of vulnerabilities in its IOS XE software that attackers have been exploiting widely for several days.
One of the vulnerabilities (CVE-2023-20198) was first identified a week ago and Cisco released an advisory warning customers that it was being actively exploited. Threat actors have been exploiting the bug, which is an issue in the web UI, to install malware on target devices. The flaw is exploitable without authentication and enables an attacker to create a new local user account on the device.
The second vulnerability (CVE-2023-20273) emerged during Cisco’s investigation into the original bug, and enables the attacker to gain root privileges.
“Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access,” the Cisco advisory says.
“The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system.”
Cisco has released an update for IOS XE 17.9 to address these vulnerabilities, although there are still several other versions of the software that do not yet have updates available, including 17.6 and 17.3, as well as 16.12, which is specific to the Catalyst 3650 and 3850 switches.
IOS XE runs on many Cisco switches and routers and is widely deployed across many industries. While there are no known workarounds for these vulnerabilities, the main mitigation guidance is to disable the HTTP server in IOS XE, which eliminates the attack vector completely.