On Monday, Cisco sounded the alarm, highlighting that hackers have identified a novel vulnerability in a certain segment of its software. The company's cybersecurity division, Talos, published a comprehensive report providing insights into how this grave vulnerability — labelled as CVE-2023-20198 — came to light.
Regarded with the gravest CVSS score of 10, the flaw could "grant an attacker full administrator privileges, allowing them to effectively take full control of the affected router and enabling potential illicit activities." It's noteworthy that this flaw is embedded in the Cisco IOS XE software's feature known as Web UI, intended to enhance deployment, management, and user experience. Both tangible and virtual devices utilising this software are susceptible.
Cisco, in its response, is emphasising the deactivation of the HTTP Server feature on all systems exposed to the internet. Aligning with this, the Cybersecurity and Infrastructure Security Agency (CISA) echoed similar precautionary measures on Monday. Regrettably, there's neither a makeshift solution nor an official patch currently available. Worryingly, this vulnerability grants hackers the capability to forge an account on the jeopardised device, thereby assuming full dominion over it.
The loophole came to light when Cisco was addressing a series of support issues, where clients faced cyber-attacks. The initial case surfaced on September 28, and subsequent investigations unveiled bug-related activities tracing back to September 18.
Cisco's Talos Incident Response division recorded related activity last week, followed by Monday's advisory publication. The company reassured by stating the affected cases form a minuscule fraction of their daily case traffic. Experts believe the observed activities in September and October might be orchestrated by the same miscreant, indicating an escalating pattern.
Interestingly, after exploiting the newfound vulnerability, these cyber adversaries leveraged an outdated bug, CVE-2021-1435. Shockingly, devices safeguarded against this older vulnerability were still compromised by an unidentified technique. It's imperative for users to be vigilant of unforeseen or new user accounts, which could signify malicious undertakings linked to this menace.
John Gallagher of Viakoo Labs and other experts correlated this vulnerability to another disclosed on October 2. Gallagher emphasised the imperative for admins to possess exhaustive system knowledge, especially when devoid of patches.
Furthermore, Mayuresh Dani from Qualys pointed out Cisco's omission in listing the vulnerable devices. He inferred that any device—be it a switch, router, or wireless LAN controller—using IOS XE and displaying the web user interface online is at risk. Dani's research suggests roughly 40,000 Cisco devices with the web UI are internet-accessible, underscoring the urgent need for user intervention in shielding these gadgets.