”
Cisco has alerted users to a fresh zero-day vulnerability in IOS XE that has been actively used by an unidentified threat actor to install a malicious Lua-based implant
on vulnerable gadgets.
The issue, known as CVE-2023-20273 (CVSS score: 7.2), is related to a web UI feature privilege escalation flaw and is suspected of being utilized in conjunction with CVE-2023-20198 (CVSS score: 10.0) as a component of an exploit chain.”The attacker first abused CVE-2023-20198 to gain the first access and issued the elevated 15 helm to create a local user and a password combination,” Cisco said in a revised advisory released on Friday. “This allowed the user to log in with normal user access.”
The vulnerability has been given the identifier CVE-2023-20273. “The perpetrator then exploited another part of the web UI feature, employing the new local user to elevate disadvantage to root while writing the implant to the file system.”
Customers will be able to access the fix for both vulnerabilities as of October 22, 2023, according to a Cisco representative who spoke with The Hacker News. It is advised to turn off the website’s HTTP server feature in the interim.
While Cisco had previously mentioned that a now-patched security flaw in the same software (CVE-2021-1435) had been exploited to install the backdoor, the company assessed the vulnerability to be no longer associated with the activity in light of the discovery of the new zero-day.
“These vulnerabilities could be used by an unauthenticated remote actor to take over an affected system,” the U.S. Information security and Infrastructures Security Agency (CISA) stated. “Specifically, these weaknesses allow the attacker to create an elevated account that provides full command over the device.” If the bugs are successfully exploited, attackers might be able to gain unfettered remote access to routers and switches, monitor network traffic, inject and redirect network traffic, and use it as a persistent beachhead to the network due to the lack of protection solutions for these devices.
This development coincides with data indicating that threat actors have likely exploited the two security flaws to compromise over 41,000 Cisco devices running the susceptible IOS XE software. Censys and
Cisco has officially released software updates to address the two actively exploited security flaws for Cisco IOS XE software release train 17.9, with fixes for versions 17.6, 17.3, and 16.12 in the works. Additional release information can be accessed here.