Cisco warns of critical IOS vulnerability being exploited

By

First observed in a customer environment last month.

Cisco is warning of a critical unpatched vulnerability in the web UI feature of its Internetwork Operating System (IOS) XE software that is being actively exploited.

Cisco warns of critical IOS vulnerability being exploited

The vulnerability affects physical and virtual enterprise networking services running IOS XE that also have the HTTP or HTTPS Server feature enabled, according to a threat advisory by Cisco Talos.

It has been given the reference CVE-2023-20198 and received a Common Vulnerability Scoring System (CVSS) score of 10.

The vulnerability “allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access,” the vendor said in a separate advisory.

“The attacker can then use that account to gain control of the affected system.”

Privilege level 15 is the highest of the 16 privileged access levels in IOS, granting “full administrative access”.

The web UI is described as an embedded GUI-based system-management tool used for provisioning, system deployment and manageability, and user experience. 

Cisco urged administrators to check their system logs for specific messages, described in its advisory.

It said there are no current workarounds and that it would communicate with customers “when a software patch is available.”

In the interim, the vendor “strongly recommended” that customers “disable the HTTP Server feature on all internet-facing systems.”

“The recommendation that Cisco has provided in its security advisory to disable the HTTP server feature on internet-facing systems is consistent with not only best practices but also guidance the US government has provided in the past on mitigating risk from internet-exposed management interfaces,” Cisco Talos wrote.  

“This is a critical vulnerability, and we strongly recommend affected entities immediately implement the steps outlined in Cisco’s… advisory.”

Cisco Talos said the vulnerability was initially observed in a single customer’s environment in mid-to-late September, when the customer lodged a ticket for assistance.

It further observed a similar pattern in other environments this month which appeared “to build off the September activity”, and which Talos deemed to be “likely carried out by the same actor.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

NSW gov to upgrade 5000 RFS vehicles with Starlink

NSW gov to upgrade 5000 RFS vehicles with Starlink

Cisco to lay off thousands more in second job cut this year

Cisco to lay off thousands more in second job cut this year

Yarra Valley Water tackles leaks with IoT-backed ‘noise loggers’

Yarra Valley Water tackles leaks with IoT-backed ‘noise loggers’

Australian Electoral Commission starts moving out of NEXTDC

Australian Electoral Commission starts moving out of NEXTDC

Log In

  |  Forgot your password?