A critical security issue was announced last week affecting Cisco IOS XE software. BreachBits analyzed this threat and rapidly deployed detection capabilities to our BreachRisk™ subscribers. If you subscribe to BreachRisk™, we have enhanced your attack surface detection capabilities and you were sent an email notifying you if this issue was detected in your environment. Testing capabilities are forthcoming.
If you are a BreachRisk™ subscriber, check your email for a BreachBits Service Advisory to see if we detect this threat in your attack surface. Email subject includes the phrase "Security Advisory: Cisco IOS XE Vulnerability (CVE-2023-20198)".
Summary: Organizations with Cisco IOS XE software should disable the web UI feature, verify recently created accounts, and install the manufacturer’s update as soon as possible. A small number of sophisticated attackers can conduct this attack, which could give the attacker total control of the affected device.
Cisco and the Cybersecurity Infrastructure Security Agency (CISA) announced last week that widespread exploitation of a newly-discovered vulnerability (CVE-2023-20198) in the web interface of Cisco IOS XE software has been observed. Exploitation of the vulnerability provides unauthenticated attackers with privileged access to affected devices, allowing them to create additional accounts and leverage another newly-disclosed vulnerability (CVE-2023-20273) to execute arbitrary commands with elevated privileges.
The Cisco Security Advisory for Cisco IOS XE contains guidance for users of the affected appliance, along with technical details that are being updated as the situation develops. Additionally, Cisco Talos has released a method of confirming whether or not an IOS XE device has been compromised with some known variants of malware implanted on these devices.
As a part of our continuous process, BreachBits has analyzed this threat and has deployed detection capability for BreachRisk™ subscribers.
Impact and Likelihood
An attack against affected devices using this vulnerability has a high impact - it could result in devices being completely taken over by malicious actors. Currently, a limited number of threat groups have exploited this vulnerability. Because the impact of this attack is so high, we anticipate activity by more threat groups in the coming days.
This vulnerability is rated at the highest (most dangerous) level issued by the NIST National Vulnerability Database. A public proof-of-concept exploit for this vulnerability has not been released but Cisco has confirmed exploitation of this vulnerability since at least mid-September.
Note: Only IOS XE software with the web UI feature enabled are affected
Cisco IOS XE versions 17.9 and earlier
BreachBits recommends the following actions if your organization operates an affected version of Cisco IOS XE. Further details of how to implement these recommendations can be found in the Cisco Security Advisory.
Disable the web UI feature and ensure it is not accessible from untrusted sources.
If the web UI feature was enabled and Internet-facing in the past 90 days, verify any new accounts created are legitimate and search for indicators of compromise included in the Cisco Security Advisory.
As of 24 Oct, Cisco has only released a update to address this vulnerability for IOS XE version 17.9. If applicable, BreachBits recommends installing this update as soon as possible.
What we are doing
Our BreachRisk™ service helps subscribers automatically and continuously detect, gauge, and test the ways attackers can cause a cyber breach. As a part of this service, when new threats are announced, we rapidly research the threat and notify our customers if they appear to be affected. BreachRisk™ customers have been notified about the threat and made aware if they are affected or not.
Specifically, BreachBits has supported our BreachRisk™ customers by:
Rapidly developed detection capability and scanned in-scope assets for the threat. Testing capability is forthcoming.
Notifying customers of all service levels if they are affected or not. The subject of the email contains the phrase, "Security Advisory: Cisco IOS XE Vulnerability (CVE-2023-20198)".
Scanned organizations monitored by our BreachRisk™ Portfolio customers to determine if organizations they care about are affected.
We provide our BreachRisk™ for Business and BreachRisk™ Portfolio customers continuous threat detection and testing services for threats in situations like this. Our job is to answer these questions for our clients:
"Does this threat affect me?"
"If so, where am I affected?"
"How does this affect my overall cyber risk profile (i.e. my BreachRisk™ Score)?"
"Where does this threat stack up against other ongoing cyber threats?"
"How will I know when the situation is handled?"
As a part of our routine process, we have worked tirelessly since the announcement of this vulnerability to integrate capabilities to match this threat. Our automation and A.I.-based systems are designed to accept rapid development for threats such as these. We don't just report technical data, we put the threat into context using BreachRisk™ Score and BreachRisk™ Report.
As details of attack methods continue to become available, we expect attackers of lower skill levels to also learn to execute this attack. BreachBits will continue to update and refine our BreachRisk™ solutions to identify exposed vulnerable and attack methods. BreachBits will continue to initiate new BreachRisk™ assessment cycles for customers when new affected software is released publicly to help our customers stay ahead of attackers.
What You Should Do
Consider taking the following actions, especially if you are not a BreachRisk™ customer:
Identify if the threat is present on your systems.
Pinpoint where you are affected.
Consider how your business would be impacted if the affected element were to be shut down, breached, or taken over by an attacker.
Determine if this risk is significant enough to divert resources from other efforts, and make a decision to attempt a fix or not.
If you attempt to fix, follow up to verify the fix was applied. You may need to repeat this cycle as more information emerges.
Now that the vulnerability is public, be on the lookout for further guidance from software developers and security firms.
If you are a BreachRisk™ Subscriber
If you are a BreachRisk™ for Business customer, we are already examining your external attack surface. You should also do the following:
Check your email from Oct 24, 2023 for a summary of whether we believe you are affected or not.
Provide any IT infrastructure that we haven't already discovered via the Verifications page on your Dashboard. This will allow us to identify more of the attack pathways that are accessible from the internet.
Enable Penetration Testing if you have a Pro or Premium subscription. This will allow us to test any attack pathways we identify to see if an attacker can achieve a breach.
Since we are inspecting your external attack surface, you should have your security team search your internal systems, which we may not be able to see.
If you need any assistance or questions, contact us at firstname.lastname@example.org.
If you are a BreachRisk™ Portfolio client, consider contacting the companies in your portfolio and encourage them to take the steps above if they haven't already. You can also monitor your companies for a sharp risk in their BreachRisk™ Score, which may indicate an affected company.
25 Oct 2023: Published