Synopsis: Originally reported yesterday as CVE-2023-20198, (10/17/2023) and allegedly having been targeted by threat groups since September, Cisco announced a vulnerability in devices equipped with IOS XE.
It is essential to note that a patch has yet to be released for remediation. This vulnerability allows an attacker to execute arbitrary code that creates an account with the highest possible privileges. While an explicit list of affected systems also remains unclear, a review of Cisco’s literature reveals the following systems as supported by IOS XE:
Enterprise switches
Wireless controllers
Access points
Aggregation routers
Branch routers
Industrial routers
Virtual Routing
Converged broadband routers
Actions: Current industry recommendations for remediation are that the HTTP Server feature on all internet-facing systems be disabled.
- To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode
- If both the HTTP and HTTPS servers are in use, both commands must disable the HTTP Server feature
After implementing changes, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the changes are not reverted in the event of a system reload.
It is further recommended that monitoring rules be considered to detect the creation of new accounts in these affected resources if possible.
Fortified recommends that any system changes be documented for roll-back operations should this change result in service interruptions. Additionally, it is recommended that all changes be tested before applying said changes throughout the environment.
Associated Articles:
Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised