Critical Vulnerability Identified in Cisco IOS XE

Written By Jairo Osorio

Vulnerabilities CVE-2023-20198 and CVE-2023-20273

In the realm of cybersecurity, staying updated on the latest vulnerabilities is crucial to keeping our networks and systems safeguarded. Recently, a critical vulnerability has been discovered in the Cisco IOS XE software these are CVE-2023-20198 and CVE-2023-20273 , and it's essential that we understand its scope and how we can protect ourselves.
Vulnerability Details: The team at Cisco Talos has unveiled an active exploitation in the Cisco IOS XE software. Since its discovery, there has been an observed increase in the number of attackers seeking to exploit this vulnerability. The first evidence of malicious activity was recorded on September 18. For a detailed description of this vulnerability, we invite you to visit the Cisco Talos blog.
A quick analysis on Shodan reveals that there are over 160,000 exposed hosts running http or https services, with a high incidence in the USA, Chile, and Mexico. This exposure represents a significant risk to the affected networks.
CVE-2023-20198 Cisco IOSXE Vulnerability

How to Check Your System:

We've prepared a script to help automate the detection of this vulnerability in your devices. You can find the script on GitHub. This script also allows exporting the results to a CSV file for easier reporting.

For example, we took 6 random IPs from the report that Shodan was providing to verify if the implant exist, and we found out that 2 out of 6 devices had the implant present.

Mitigation Steps:

 If your devices are compromised, it's vital to contact Cisco support for specific assistance. Additionally, we recommend taking the following preventative measures:
  1. Disable HTTP/HTTPS Services: If you don’t need these services, disable them with the following commands:


    no ip http server
    no ip http secure-server

  2. Configure Access Control Lists (ACLs): Create an ACL to restrict access to your management IP. Here's how:


    ip access-list standard ALLOW-MGMT-USERS permit <YOUR IP FROM WHERE YOU WILL ADMINISTER>

  3. Apply the ACL: Assign the ACL to the VTY and the HTTP service (if needed) with these commands:


    line vty 0 15 access-class ALLOW-MGMT-USERS in vrf-also
    !
    ip http access-class ipv4 ALLOW-MGMT-USERS

    

     Share the Information: It's vital to keep other network administrators informed about this vulnerability. Share this information and help strengthen the security of our digital community.
    Remember, prevention and timely action are our best defenses against cyber threats. Stay safe!



Jairo Osorio
Previous

Email Authentication Protocols: A Comprehensive Guide
Next

Understanding the CIA Triad: Protecting Confidentiality, Integrity, and Availability