Skip to the content.

DIVD-2023-00038 - Global Cisco IOS-XE (CVE-2023-20198) Implants

Our reference DIVD-2023-00038
Case lead Ralph Horn, Max van der Horst
Author
Researcher(s)
CVE(s)
Products
  • Cisco IOS-XE
Versions
  • All versions of Cisco IOS-XE
Recommendation Disable the Cisco WebUI and remove all management interfaces from the public Internet. If you have found an implant, consider starting your Incident Response procedure.
Patch status patch unavailable
Workaround Disable HTTP(S) management interface access or implement an Access Control List.
Status Open
Last modified 18 Oct 2023 15:24

Summary

On October 16th, Cisco disclosed an authentication bypass vulnerability affecting Cisco IOS-XE appliances with CVE-ID CVE-2023-20198. An unknown threat actor is actively placing implants on the vulnerable appliances worldwide. This is a serious situation as implants allow threat actors to monitor traffic, gain access to the underlying system and move into protected networks. For additional guidance, please find the Cisco PSIRT advisory at the bottom of this page.

Recommendations

Given that no patch is yet available, disable HTTP(S) access to any management interfaces if possible. If HTTP(S) access is required, implement an Access Control List to limit access. If your appliance contains an implant, the steps to remediate are rebooting the appliance to neutralize the implant, disabling http(s)-server and removing any privileged accounts in that order.

What we are doing

DIVD is scanning for implants on public-facing systems. Owners of such systems will receive a notification with this casefile and remediation steps.

Timeline

Date Description
17 Oct 2023 DIVD starts researching CVE-2023-20198.
17 Oct 2023 DIVD takes note of growing level of implants.
18 Oct 2023 DIVD starts scanning for implants.
gantt title DIVD-2023-00038 - Global Cisco IOS-XE (CVE-2023-20198) Implants dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00038 - Global Cisco IOS-XE (CVE-2023-20198) Implants (still open) :2023-10-17, 2024-03-04 section Events DIVD starts researching CVE-2023-20198. : milestone, 2023-10-17, 0d DIVD takes note of growing level of implants. : milestone, 2023-10-17, 0d DIVD starts scanning for implants. : milestone, 2023-10-18, 0d

More information