Cisco Zero Day IOS XE >80,000 network devices backdoored through unpatched 0-day

[idiomatic]

“Cisco buried the lede.” >10,000 network devices backdoored through unpatched 0-day​

The previously unknown vulnerability, which is tracked as CVE-2023-20198, carries the maximum severity rating of 10. It resides in the Web User Interface of Cisco IOS XE software when exposed to the Internet or untrusted networks. Any switch, router, or wireless LAN controller running IOS XE that has the HTTP or HTTPS Server feature enabled and exposed to the Internet is vulnerable. On Monday, the Shodan search engine showed that as many as 80,000 Internet-connected devices could be affected.

“Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity,” members of Cisco’s Talos security team wrote Monday. “This is a critical vulnerability, and we strongly recommend affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory.”

Cisco said that the unknown threat actor has been exploiting the zero-day since at least September 18. After using the vulnerability to become an authorized user, the attacker creates a local user account. In most cases, the threat actor has gone on to deploy an implant that allows it to execute malicious commands at the system or iOS level, once the web server is restarted. The implant is unable to survive a reboot, but the local user accounts will remain active.

This is a full root of Cisco's big switches. The amount of access that could give you is unthinkable.

 

[erek]

This is rough for Enterprises

 

[TheToE!]

Found this one yesterday. Disabled the web gui.

 

[Lakados]

This is rough for Enterprises

That’s the understatement of the week right there.

 

[Lakados]

Issues like this one here are why solutions like ClearPass and ISE are so important right now.
They drastically shrink the size of the available attack vectors on these sort of exploits and make detecting them far easier.

The bad guys have more eyes that the good ones, for every 1 person trying to secure your network assume there are 30 people trying to break in. They will win, there is no reasonable solution that most businesses can employ that will guarantee their safety. The only thing you can do is work to limit their options while they are inside and do your darnedest to cripple their ability to scan your network for resources and vulnerabilities.

Gone are the days when you could just set up your switches, configure your vlans, and use user permissions on resources for file shares. Security through obscurity no longer works for networking and companies need to be active locking down internal traffic.