DIVD-2023-00038 - Global Cisco IOS-XE (CVE-2023-20198) Implants
| Our reference | DIVD-2023-00038 |
| Case lead | Ralph Horn, Max van der Horst |
| Author | Max van der Horst |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Disable the Cisco WebUI and remove all management interfaces from the public Internet. If you have found an implant, consider starting your Incident Response procedure. |
| Patch status | patch unavailable |
| Workaround | Disable HTTP(S) management interface access or implement an Access Control List. |
| Status | Open |
| Last modified | 18 Oct 2023 15:24 |
Summary
On October 16th, Cisco disclosed an authentication bypass vulnerability affecting Cisco IOS-XE appliances with CVE-ID CVE-2023-20198. An unknown threat actor is actively placing implants on the vulnerable appliances worldwide. This is a serious situation as implants allow threat actors to monitor traffic, gain access to the underlying system and move into protected networks. For additional guidance, please find the Cisco PSIRT advisory at the bottom of this page.
Recommendations
Given that no patch is yet available, disable HTTP(S) access to any management interfaces if possible. If HTTP(S) access is required, implement an Access Control List to limit access. If your appliance contains an implant, the steps to remediate are rebooting the appliance to neutralize the implant, disabling http(s)-server and removing any privileged accounts in that order.
What we are doing
DIVD is scanning for implants on public-facing systems. Owners of such systems will receive a notification with this casefile and remediation steps.
Timeline
| Date | Description |
|---|---|
| 17 Oct 2023 | DIVD starts researching CVE-2023-20198. |
| 17 Oct 2023 | DIVD takes note of growing level of implants. |
| 18 Oct 2023 | DIVD starts scanning for implants. |