Cisco addresses vulnerabilities in IOS XE network devices

In mid-October the discovery of two caused a stir zero-day vulnerability across a wide range of Cisco-branded devices. These are the products based on IOS XE, an operating system designed and developed for use on routers, switches and firewalls from the same company. Cisco IOS XE represents an advanced and evolved version of the Cisco IOS operating system (Internetwork Operating System), which has been used in the company’s networking devices for many years.

What is Cisco IOS XE and what is it for

Cisco IOSmodular architecture which allows you to run network functions on independent software modules, known as “container“. The system offers a wide range of services and network functionality advanced, including routing, switching, security, performance management, QoS (Quality of Service) and more. The platform is heavily performance-oriented, such that it can handle higher networking workloads while still delivering performance e scalability elevate.

IOS XE also supports virtualization technologies come Virtual Device Context (VDC) e Virtual Route Forwarding (VRF), allowing you to create separate, virtual network environments on a single physical device. Dedicated management tools simplify automation in network configuration.

Cisco security patches for a couple of really dangerous vulnerabilities

With the publication of an “ad hoc” bulletin, Cisco confirmed today that it has resolved two security vulnerabilities which in recent days groups of cyber criminals have used to access IOS XE devices and take full control of them. These are gaps marked by identifiers CVE-2023-20198 e CVE-2023-20273: to confirm the seriousness of the problem, the first one is assigned a score of 10 out of a maximum of 10.

The installation of the corrective updates it is strongly recommended at this point. As Cisco technicians themselves confirm, the CVE-2023-20198 vulnerability can be exploited to take possession of IOS XE devices through their graphical administration interface (Web UI) e create a new local user together with a password.

On Cisco devices, i permissions relating to the various commands are divided with a level structure ranging from 0 to 15. The level 0 provides the possibility of using only 5 basic commands such as “logout”, “enable”, “disable”, “help” and “exit” while level 15 allows control of the device without any type of limitation. Cisco reveals vulnerability CVE-2023-20198 allows acquisition user privileges level 15with all that entails.

The company’s spokespersons also explain that the two vulnerabilities (the second allows you to assign the directly root to the new user and to modify the file system) can possibly be exploited if and only if the interface Web UI (HTTP server) is enabled. Otherwise, the attack cannot be successful.

The history of the vulnerability on IOS

Cisco revealed the existence of the CVE-2023-20198 flaw on October 16, presenting it as a zero-day already used by malicious users. Since then, security researchers have started looking compromised devices. A initial scan revealed around 10,000 vulnerable devices connected to the public network and already attacked by cyber criminals. The number quickly grew to over 40,000 in just a few days. On October 20, Cisco revealed the second zero-day exploited in the same campaign to hire the complete control of systems running IOS XE software.

Over the past weekend, however, researchers noticed a sharp decline in the number Cisco IOS XE host is compromised. In just a few hours, it suddenly went from around 60,000 affected hosts to just a few hundred.

It is not clear what caused the mysterious and sudden drop, also because a patch did not exist until a few days ago. According to some experts, the attackers may have distributed an update for hide their presence and malicious code in various network devices. In this way the Cisco IOS XE devices would no longer be visible at the scanning level.

Other theories link the sudden drop to the action of a hacker grey-hat which would automatically reboot infected devices to protect them from attackers.

The opening image is taken from this page published on the official Cisco website.


Please enter your comment!
Please enter your name here