Reveal(x) Threat Briefing Helps Users Find Cisco IOS XE Vulnerability

ExtraHop has released a new Threat Briefing in Reveal(x) that gives users visibility into a critical vulnerability in the Cisco IOS XE networking software. This vulnerability allows attackers to gain top-level administrative access to targeted networks.

Cisco gave the zero-day vulnerability, CVE-2023-20198, the maximum severity rating because it allows attackers to bypass authentication and install malware on Cisco devices. Combined with another IOS XE vulnerability, the 20198 vulnerability could allow attackers to monitor network traffic, launch man-in-the middle attacks, and gain access to company networks.

Threat Briefing for Cisco IOS XE Identifies Vulnerable Devices

The Threat Briefing shows users how to run queries for vulnerable Cisco IOS devices receiving external traffic.

Released two days after Cisco’s alert and four days before the company issued a patch, the Threat Briefing also describes how to run records queries for HTTP POST connection requests with indicators of compromise. Security teams can then see if an analyst or attacker might be scanning their network for malware on vulnerable devices. An updated Threat Briefing also points to Cisco’s recent patch.

Some security researchers, including internet scanning service provider ONYPHE, found more than 50,000 switches, routers, and other Cisco devices that were compromised in the days following an Oct. 16 alert from Cisco. Before issuing a patch on Oct. 22, Cisco advised customers to disable the HTTP server feature on internet-facing devices running IOS XE.

How the Cisco IOS XE Vulnerability Allows Attackers to Take Control of Devices

When first discovered, the CVE-2023-20198 vulnerability allowed attackers to gain initial access to Cisco devices and issue a command to create a local user and password combination. This allowed the newly created user to log in with normal access, Cisco said.

Attackers are then able to exploit a second zero-day vulnerability, CVE-2023-20273, by leveraging the new local user to hijack the device and implant malware. The exploit of the second vulnerability allows the attacker to run arbitrary commands with root privileges, “thereby effectively taking full control of the device,” the Cisco Talos Intelligence Group wrote in an Oct. 16 blog post.

The Cisco Talos team said it was confident that the attacks using these two vulnerabilities are being carried out by the same threat actor. In the Oct. 16 blog post, the Talos team also described the implanted malware as based on the Lua programming language and consisting of 29 lines of code that facilitate the execution of arbitrary commands.

Shortly before Cisco issued a patch for both of the IOS XE vulnerabilities, researchers scanning for compromised devices saw the number suddenly drop from tens of thousands to hundreds. ONYPHE suggested that attackers may have updated the implanted malware to hide it from security teams.

Because the Threat Briefing for the Cisco IOS XE vulnerability focuses on vulnerable devices and connection requests, it gives users visibility into a possible threat even if attackers attempt to hide the implanted malware.