Number: AL23-016
Date: October 18, 2023
Updated: November 1, 2023
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
On October 16, 2023, Cisco reportedFootnote 1Footnote 2 that a critical, 0-day privilege escalation vulnerability in the web UI interface of routers, switches and wireless controllers running IOS XE are being remotely exploited to gain privileged access.
This vulnerability is tracked under CVE-2023-20198 and has the maximum security CVSS rating of 10.0.Footnote 3
Open source is reporting that thousands of online, vulnerable devices have been compromised.Footnote 4Footnote 5Footnote 6
This Alert is being published to raise awareness of this activity, highlight the potential impact to organizations and to provide guidance for organizations who may be impacted by this malicious activity.
Update 1
On October 22, 2023 Cisco updated their advisoryFootnote 1 to indicate that the first updates are now available for some versions of IOS XE software. Cisco has also published a Software Fix Availability document to aid in the identification of affected products and the date when the images will be available for download.Footnote 9
On October 20, 2023 Cisco also updated their advisoryFootnote 1 highlighting an additional vulnerability that was exploited by malicious actors. After successfully exploiting CVE-2023-20198 to gain initial access on vulnerable devices, threat actors were observed exploiting CVE-2023-20273 to elevate their privileges in order to write a backdoor to the device.
The Cyber Centre recommends organizations continue to monitor the Cisco advisory and blogFootnote 1Footnote 2 as well as the Software Fix Availability documentFootnote 9 for additional updates to aid in the remediation of these vulnerabilities.
Update 2
On October 23, Cisco Talos updated their blog postFootnote 2 to advise that an updated version of the backdoor, which now includes a preliminary check of the HTTP Authorization header, has been observed. Talos speculates that this header check functionality has likely been added as a reactive measure to hinder the ability to identify affected devices.
This updated backdoor shares most of its core functionality with the original backdoor and Talos believes it has been in use since October 20. To assist in the detection of the new backdoor, Talos has updated their blog with additional guidance to help detect the presence of either variants.Footnote 2
The successful exploitation of this vulnerability allows a malicious actor to gain "level 15" (administrative) access to the device. With this access, the malicious actor can then collect configuration information, create additional administrative accounts, and leverage another vulnerability (CVE-2023-20273) to run arbitrary code on the device with elevated privileges.
The Cyber Centre is aware that Canadian organizations have been impacted by both the original and updated backdoor. The Cyber Centre strongly encourages all organizations to review their network environments, identify potentially impacted devices and follow the below suggested actions.
Update 3
Between October 27 and October 31, 2023, Cisco has updated their advisory Footnote 1 to highlight additional patches being made available for devices vulnerable to CVE-2023-20198 and CVE-2023-20273.
On October 28, 2023, proof of concept code was published on open source along with reports of additional activity targeting the vulnerabilities. Any organizations with continued external facing access to the vulnerable services should assume full device compromise. Malicious activity impacting these devices may result in internal network access and organizations are encouraged to begin cyber incident response activities. Footnote 7
Suggested actions
The Cyber Centre recommends organizations:
- Follow Cisco Talos’ guidance and mitigation from their Threat Advisory BlogFootnote 2.
- Prioritize reviewing devices that are exposed to the internet and are critical to your organization.
- Leverage available centralized logging tools to review account creation activity.
- Immediately patch affected systems when updates addressing this vulnerability become available.
The Cyber Centre wishes to highlight that mitigation efforts resulting from the compromise of systems by competent threat actors may require more than simply mitigating individual issues, systems and servers. The Cyber Centre recommends affected customers review the Cyber Centre joint cybersecurity advisory on technical approaches to uncovering and remediating malicious activityFootnote 7.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security ActionsFootnote 8 with an emphasis on the following topics:
- Consolidate, monitor, and defend internet gateways
- Isolate web-facing applications
If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.