top of page

The Cisco IOS XE vulnerability - regional impact

Generally speaking, breaches occur either by interacting with people via social engineering, or exploiting vulnerabilities, ideally requiring no user interaction.

Such vulnerabilities are increasingly being used to get initial access into an organization (we've covered recent examples here and here), especially if the affected devices or apps are sitting exposed on the public interface.

The latest example includes a critical vulnerability in Cisco IOS XE devices (CVE-2023-20198) used on many Cisco routers and Catalyst switches. Again, the story follows a familiar pattern: the threat actors discover the vulnerability and start exploiting it weeks or months before the vendor is aware or is able to release patches.

A vulnerable Cisco IOS XE web interface idling on the internet

In this case, the vulnerability affects the HTTP web interface (often exposed on the internet by design) and allows an attacker to create an account with the highest privileges possible, after which it's possible to deploy a backdoor or implant which can be used for further system propagation, to monitor network traffic, and perform any number of man-in-the-middle attacks.

Cisco was made aware of exploitation during a routine tech support request which triggered an investigation on September 28th. They found evidence as early as September 18th, where a new user account was created by an unknown and suspicious IP address. Cisco Talos Intelligence has a detailed writeup on all the aspects of the vulnerability and the implications here.

By now, thousands of compromised devices worldwide are being reported, suggesting the vulnerability has been exploited for months in the wild, with hardly anyone aware:

  • Palo Alto Networks' attack surface telemetry from Cortex Xpanse indicates at least 22,074 hosts containing the implant, as of Oct 18th (link).

  • Censys reports an initial count of 41,983 compromised devices, which has decreased on October 19th to 36,541 (link).

How does it look in the Adriatics? Hundreds of devices compromised

Any Cisco IOS XE device sitting on the internet can currently be easily exploited, as there is no patch available (as of Oct 20th). That's why Cisco urges its customers to immediately disable the HTTP Server feature on all internet-facing systems.

Again, services such as Shodan or Censys (search engines for internet connected devices and servers) can help us estimate the number of devices currently exposed (and probably already hacked).

In case of Shodan, Cisco IOS XE devices can be scanned by querying a specific hash sum of the HTML content, and the certificate CN name typical for those devices:"IOS-Self-Signed-Certificate" http.html_hash:1076109428 country:SI,HR,BA,RS,ME,MK,AL,XK

The above is querying only countries in the Adriatics region (from Slovenia to Albania).

The query returns approximately 914 devices as of Oct 20th, with the largest numbers in Croatia, but also an outsized concentration of devices in North Macedonia.

Internet exposed Cisco IOS XE devices in the Adriatics (company names obfuscated). Source: Shodan search engine
Internet exposed Cisco IOS XE devices in the Adriatics (company names obfuscated). Source: Shodan search engine

Again, as in the case of other recent vulnerabilities in network devices, it will take weeks or even months before all devices are secured.

The same issues persist:

  • There is a fundamental problem with timely maintenance of network devices and applications, especially when these are not proactively monitored by an MSSP provider or directly offered by a vendor, packaged as-a-service (for ex. SASE architecture);

  • on-premise equipment seems to take especially long to get patched or secured - see example here;

  • The unacceptable time gap between vulnerability disclosure and mitigation (or patching), generates huge opportunities for threat actors to deploy persistence and remote control, while staying hidden and further exploring customer sites for opportunities to strike (for ex. with ransomware).

  • That's why in the future we'll see more attacks built on these initial exploitations.

Having all this in mind, is it time to rely more heavily on vendor or MSSP driven services, especially when remote access is concerned?

Some stakeholders are already advising to completely remove direct access to network devices on the internet, which now seems like a good advice. Running your own public or internet facing device looks increasingly risky and inappropriate.

bottom of page