A serious vulnerability, identified by CVE-2023-20198, has been discovered in Cisco IOS XE. It is an operating system that powers many CISCO devices, such as routers and switches, and has a user interface used for configuring and managing routers and switches. This critical vulnerability allows an unauthenticated user to create an account on the system with elevated privileges. This user account can then be used to gain control of the affected system.
Introduction:
A serious vulnerability, identified by CVE-2023-20198, has been discovered in Cisco IOS XE. It is an operating system that powers many CISCO devices, such as routers and switches, and has a user interface used for configuring and managing routers and switches. This critical vulnerability allows an unauthenticated user to create an account on the system with elevated privileges. This user account can then be used to gain control of the affected system.
Vulnerability Trigger:
The Cisco IOS XE vulnerability is present in its user interface. This vulnerability allows a remote, unauthenticated attacker to establish an account on a vulnerable system, granting them privilege level 15 access (the highest access), which the attacker can utilize to assume control over the compromised system. This vulnerability was actively exploited in the wild, and threat actors were observed installing an implant, providing short-term command execution. To detect if the system has been successfully compromised by the implant, one needs to send a POST request, as shown below:
If the server responds with a 200-status code along with an 18-byte hexadecimal string, this determines that the device has been compromised.
Threat Severity:
As per Vehere’s threat severity scale, which classifies threats into low, medium, high, and critical categories, this threat falls under the category of Critical.
Recommendation:
Vehere’s go-to security research wing, Moon Treader, with the help of the Vehere AI Network Security solution, has successfully identified the rule “TI06165 Cisco IOS XE Software WebUI Vulnerability CVE-2023-20198”, and it has been developed in-house to detect the implants. The research wing also recommends having the systems patched and employing workarounds as suggested by Cisco.
Cisco has created an advisory for the vulnerability and has provided recommendations for mitigating it. Click on the following link for more details:
Vehere AI Network Security:
Vehere AI Network Security is a unified solution of Network Detection & Response and Network Forensics.
- Network Detection & Response: Detects abnormal system behaviors by leveraging behavioral analytics/AI-ML. It detects and contains post-breach activity such as ransomware, APTs, insider threats, or lateral movements.
- Network Forensics: Supports security incident response and investigation of the source of an incident; analyzes and reconstructs attack timelines and provides evidence for legal proceedings.
Vehere has also been included under ‘Example of NDR Vendors’ in two 2023 Gartner® reports: Emerging Tech: Top Use Cases for Network Detection and Response and Emerging Tech: Security—Adoption Growth Insights for Network Detection and Response.
Conclusion:
The threat landscape keeps evolving, and Vehere’s security research wing, Moon Treader, is actively investigating and developing content on a regular basis. The team will continue to monitor the latest developments in the cyberthreat landscape and keep upgrading the detection capabilities to improve the security posture of Vehere’s customers. The team recommends users to install the necessary patches and keep their software up-to-date.
Reference: