Table of Contents
New IOS XE Zero-Day Vulnerability
Cisco, a multinational technology conglomerate, recently released a warning to its customers about a new zero-day vulnerability identified in its Internetwork Operating System (IOS) XE, a primary system used for Cisco networking devices. The identified vulnerability is said to have significant severity that could pose considerable threats to the integrity of networked Cisco devices.
Cisco Issues Warning to Customers
The warning corresponds to the discovery of a security hole in IOS XE software running on certain Cisco products. Cisco has not released any software updates addressing the vulnerability yet, thus urging its customers to exercise caution and increase monitoring of their networking environments.
Description of the Vulnerability
The zero-day vulnerability, identified as CVE-2020-3566, resides in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software. This vulnerability allows unauthenticated, remote attackers to exhaust process memory of an affected device, leading to instability or unavoidable reloading of the device – essentially executing a Denial-of-Service (DoS) attack.
Severity and Implications of the Issue
This vulnerability holds a high severity rating as it allows cyberthreat actors to interrupt or completely halt system operations without requiring elevated privileges or user interaction. Any successful execution of this vulnerability could result in a complete DoS condition, disrupting the affected system's normal functioning or rendering it unreachable through network connections.
Vulnerability Exploitable from Network or Directly from the Internet
While this vulnerability is exploitable from an internal network, there's also a possibility for exploitation via the internet if an attacker executes the exploit from a device that's directly connected. It makes threat detection and prevention a priority for organizations using vulnerable Cisco devices.
Investigation and Determination of Attack Timeline
In analyzing the IOS XE zero-day vulnerability, Cisco's Talos team conducted an extensive investigation into the timeline and nature of the attack activities. Their findings revealed that the suspicious activities were not isolated, but instead marked by a pattern of escalating operations that spanned from September to October.
Discovery of the Attack on September 28
The first report of unusual activity emerged on September 28 when an authorized user created a local user account named "cisco_tac_admin" from a suspicious IP address. However, aside from this new account, Cisco's Technical Assistance Center found no other noticeable signs of potentially malicious activity at that time.
Analysis of Malicious Activity Starting from September 18
Upon further investigation, related activities traced back to September 18 were discovered. This timeline did not only include the aforementioned account creation but also a series of other actions that pointed towards possible exploitation of the IOS XE vulnerability.
Continuation of the Activity in October with Deployment of Implant
By October 12, a similar intrusion was uncovered with an unauthorized user creating a local user account with the name "cisco_support" from a different suspicious IP address. In this instance, the culprits went a step further by deploying an implant that allows them to execute commands at the system or IOS level, thus gaining significant control over the affected device.
Observations Indicating Escalating Operations
These findings suggest that the initial activities in September may have been preliminary attempts by the threat actors, possibly testing their code. The activity in October, marked by the deployment of the system-level implant, showed signs of the actors expanding their operations to establish persistent access. This pattern of escalating operations indicates the gravity of the vulnerability and the potential for more sophisticated attacks in the future.
Description and Mechanism of The Implant
During the course of their investigating the IOS XE zero-day vulnerability, the Talos team also scrutinized the functionality and delivery mechanism of the malicious implant deployed by the threat actors during this period. This analysis led to several important findings regarding the full exploitation cycle.
Function of the Implant: Execution of Arbitrary Commands
The implant's main function is to grant attackers the ability to execute arbitrary commands at the system or IOS level. With this capability, attackers can effectively have substantial control over the affected Cisco devices, enabling them to monitor network traffic, transition into safeguarded networks, and carry out man-in-the-middle attacks.
Conditions for Activation of the Implant
The implant can be activated without requiring specific user interaction or device conditions. Once deployed, it allows for a significant elevation of privileges for the attackers, meaning they can execute commands usually limited to advanced levels of system access.
Delivery of the Implant through Exploitation of Previous Vulnerability, CVE-2021-1435
Talos team found evidence that the implausible implant was delivered via the exploitation of a previous vulnerability known as CVE-2021-1435. This vulnerability was patched two years ago, yet had been successfully leveraged by the threat actors to infiltrate the implant into the system.
Observations of Implant Installation on Patched Devices
Interestingly, it was also reported that even devices that were fully patched against the CVE-2021-1435 vulnerability managed to get the implant successfully installed. The exact mechanism through which the implant penetrated these devices remains unclear, indicating a high level of sophistication in the implant's delivery strategy and further emphasizing the need for rigorous threat prevention measures.
Further Developments, Recommendations and Mitigation Steps
Following the discovery and analysis of the zero-day vulnerability and the subsequent implant deployment, Cisco issued a series of recommendations and mitigation steps for its clients. At the same time, cybersecurity entities and institutions have also taken respective actions to address this significant security event.
Anticipation of a Patch for CVE-2023-20198
Cisco has currently not yet issued a software patch for CVE-2023-20198. As is typically the case with identified vulnerabilities, a patch is expected to be released once developed and adequately tested. In the meantime, administrators should increase monitoring measures and apply recommended mitigations.
Cisco’s Recommendation: Disable the HTTP Server Feature on Internet-Facing Systems
Cisco has recommended that customers should disable the HTTP Server feature on all internet-facing systems, thus limiting the attack surface. This can be done using the no ip http server or no ip http secure-server commands. If both the HTTP and HTTPS servers are in use, both commands are needed.
Indicators of Compromise (IoCs) Shared
As part of their investigative report, the Talos team has shared specific Indicators of Compromise (IoCs). These IoCs can assist in identifying whether a system has been affected, providing critical information to administrators as they work to secure their networks.
Addition of CVE-2023-20198 to CISA’s Known Exploited Vulnerabilities Catalog
The United States Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-20198 to its catalog of Known Exploited Vulnerabilities. They have emphasized the need to apply Cisco's mitigation recommendations and to take appropriate action to identify and remedy any traces of the vulnerability being exploited.
Mandatory Deployment of Mitigations by Government Organizations
Government organizations are now required by CISA to deploy the recommended mitigations, report findings and update their systems once a patch is available. This direction calls for immediate attention to securing vulnerable systems and a commitment to closely monitor subsequent developments.
