Alert - Vulnerability impacting Cisco devices (CVE-2023-20198) - Update 3

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On October 16, 2023, Cisco reported^{Footnote 1Footnote 2} that a critical, 0-day privilege escalation vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. in the web UI interface InterfaceA boundary across which two systems communicate. An interface might be a hardware connector used to link to other devices, or it might be a convention used to allow communication between two software systems. of routers, switches and wireless controllers running IOS XE are being remotely exploited to gain privileged access.

This vulnerability is tracked under CVE-2023-20198 and has the maximum security CVSS rating of 10.0.^{Footnote 3}

Open source is reporting that thousands of online, vulnerable devices have been compromised.^{Footnote 4Footnote 5Footnote 6}

This Alert is being published to raise awareness of this activity, highlight the potential impact to organizations and to provide guidance for organizations who may be impacted by this malicious activity.

Update 1

On October 22, 2023 Cisco updated their advisory^{Footnote 1} to indicate that the first updates are now available for some versions of IOS XE software. Cisco has also published a Software Fix Availability AvailabilityThe ability for the right people to access the right information or systems when needed. Availability is applied to information assets, software, and hardware (infrastructure and its components). Implied in its definition is that availability includes the protection of assets from unauthorized access and compromise. document to aid in the identification of affected products and the date when the images will be available for download.^{Footnote 9}

On October 20, 2023 Cisco also updated their advisory^{Footnote 1} highlighting an additional vulnerability that was exploited by malicious actors. After successfully exploiting CVE-2023-20198 to gain initial access on vulnerable devices, threat actors were observed exploiting CVE-2023-20273 to elevate their privileges in order to write a backdoor BackdoorAn undocumented, private, or less-detectable way of gaining remote access to a computer, bypassing authentication measures, and obtaining access to plaintext. to the device.

The Cyber Centre recommends organizations continue to monitor the Cisco advisory and blog^{Footnote 1Footnote 2} as well as the Software Fix Availability document^{Footnote 9} for additional updates to aid in the remediation of these vulnerabilities.

Update 2

On October 23, Cisco Talos updated their blog post^{Footnote 2} to advise that an updated version of the backdoor, which now includes a preliminary check of the HTTP Authorization AuthorizationAccess privileges granted to a user, program, or process. header, has been observed. Talos speculates that this header check functionality has likely been added as a reactive measure to hinder the ability to identify affected devices.

This updated backdoor shares most of its core functionality with the original backdoor and Talos believes it has been in use since October 20. To assist in the detection of the new backdoor, Talos has updated their blog with additional guidance to help detect the presence of either variants.^{Footnote 2}

The successful exploitation of this vulnerability allows a malicious actor to gain "level 15" (administrative) access to the device. With this access, the malicious actor can then collect configuration information, create additional administrative accounts, and leverage another vulnerability (CVE-2023-20273) to run arbitrary code on the device with elevated privileges.

The Cyber Centre is aware that Canadian organizations have been impacted by both the original and updated backdoor. The Cyber Centre strongly encourages all organizations to review their network environments, identify potentially impacted devices and follow the below suggested actions.

Update 3

Between October 27 and October 31, 2023, Cisco has updated their advisory ^{Footnote 1} to highlight additional patches being made available for devices vulnerable to CVE-2023-20198 and CVE-2023-20273.

On October 28, 2023, proof of concept code was published on open source along with reports of additional activity targeting the vulnerabilities. Any organizations with continued external facing access to the vulnerable services should assume full device compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. . Malicious activity impacting these devices may result in internal network access and organizations are encouraged to begin cyber incident Cyber incidentAny unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource. response activities. ^{Footnote 7}

Suggested actions

The Cyber Centre recommends organizations:

• Follow Cisco Talos’ guidance and mitigation from their Threat Advisory Blog^{Footnote 2}.
• Prioritize reviewing devices that are exposed to the internet and are critical to your organization.
• Leverage available centralized logging tools to review account creation activity.
• Immediately patch affected systems when updates addressing this vulnerability become available.

The Cyber Centre wishes to highlight that mitigation efforts resulting from the compromise of systems by competent threat actors may require more than simply mitigating individual issues, systems and servers. The Cyber Centre recommends affected customers review the Cyber Centre joint cybersecurity advisory on technical approaches to uncovering and remediating malicious activity^{Footnote 7}.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions^{Footnote 8} with an emphasis on the following topics:

• Consolidate, monitor, and defend internet gateways
• Isolate web-facing applications

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.