Cisco IOS XE Vulnerability CVE-2023-20198 Exploited to Hack Tens of Thousands of Devices: A Comprehensive Analysis
Cisco released a security bulletin for a critical vulnerability in IOS XE software, tracked as CVE-2023-20198, on October 16, 2023.
The vulnerability allows attackers to create a new user with full privileges on the device, giving them complete control.
Cisco has released patches for most versions of IOS XE that address the vulnerability, but organizations should patch all affected systems immediately and take other steps to mitigate the risk of a successful exploit.
Organizations should also implement a strong security policy, use a firewall to restrict access to Cisco IOS XE devices to authorized users, use intrusion detection and prevention systems to monitor for suspicious activity, and have a plan in place to respond to a security incident.
Introduction
Well y’all, Cisco IOS XE is a widely used software platform that powers routers and switches in networks of all sizes. On October 16, 2023, Cisco released a security bulletin for a critical vulnerability in IOS XE software, tracked as CVE-2023-20198. The vulnerability allows attackers to create a new user with full privileges on the device, giving them complete control.
Vulnerability Details
The vulnerability in CVE-2023-20198 is a path traversal vulnerability in the Web Services Management Agent (WMSA) service in iosd. An attacker can exploit this vulnerability by encoding an HTTP request to the WMSA service in a specific way. This allows the attacker to bypass authentication and create a new user with full privileges.
Exploitation
Researchers at Horizon3.ai have published a technical report that explains how the vulnerability can be exploited. The report shows how an attacker can encode an HTTP request to the WMSA service in iosd to bypass authentication and create a new user with full privileges.
Once an attacker has created a new user with full privileges, they can take complete control of the device. This includes the ability to steal data, launch attacks against other devices on the network, and even install malware.
Impact
The impact of a successful exploit of CVE-2023-20198 is severe. An attacker who successfully exploits the vulnerability can gain complete control of the affected device. This could allow the attacker to steal data, launch attacks against other devices on the network, and even install malware.
Affected Versions
The vulnerability in CVE-2023-20198 affects a wide range of IOS XE versions, including 16.12, 17.3, and 17.6.
Mitigation
Cisco has released patches for most versions of IOS XE that address the vulnerability in CVE-2023-20198. Organizations should patch all affected systems immediately.
In addition to patching, organizations can also take the following steps to mitigate the risk of a successful exploit of CVE-2023-20198:
Monitor systems for suspicious activity. Organizations should monitor their Cisco IOS XE systems for suspicious activity, such as unusual login attempts and changes to configuration files.
Have a plan in place to respond to a security incident. In the event that a Cisco IOS XE system is compromised, organizations should have a plan in place to respond quickly and effectively.
Conclusion
The vulnerability in CVE-2023-20198 is a critical vulnerability that could allow attackers to gain complete control of affected Cisco IOS XE devices. Organizations should patch all affected systems immediately and take other steps to mitigate the risk of a successful exploit.
Recommendations for Organizations
In addition to the mitigation steps listed above, organizations should also consider the following recommendations:
Implement a strong security policy that includes regular software updates, password management, and user training.
Use a firewall to restrict access to Cisco IOS XE devices to authorized users.
Use intrusion detection and prevention systems to monitor for suspicious activity on Cisco IOS XE devices.
Have a plan in place to respond to a security incident, including a process for isolating compromised devices and restoring from backups.
By following these recommendations, organizations can help to protect themselves from the Cisco IOS XE vulnerability and other security threats.