Share this article on:
Cisco has released a patch for its IOS XE software after revealing a second flaw has been actively exploited by hackers.
The patch, which dropped on 22 October, addresses both the original vulnerability, CVE-2023-20198, as well as the newer flaw, CVE-2023-20273.
The first flaw – which motivated the Australian Cyber Security Centre to release a critical alert – allowed an unauthenticated, remote user to create a “highly privileged account”, in turn allowing them to take control of the entire system.
This flaw rated 10 under the Common Vulnerability Scoring System, or CVSS.
The second flaw, however, only rates at 7.2. This vulnerability took advantage of another part of IOS XE’s web user interface and allowed for the elevation of user privileges to root, before writing an implant to the file system.
The implant, analysed on Cisco’s Talos Intelligence blog, was a piece of Lua code with only 29 lines but capable of running a number of arbitrary commands. Cisco’s researchers have also spotted a second implant being deployed.
“We have also observed a second version of the implant, which now includes a preliminary check for the HTTP Authorisation header,” Talos’ researchers said in a blog post. “Most of the core functionalities of this version remain the same as the previous version. The second version likely started to be deployed as early as October 20 and was deployed using the earlier version of the implant.”
A number of security researchers have been tracking the exploitation of the vulnerabilities and have noted that infected device numbers seem to be dropping off. However, that is likely more to do with the change in the code of the implant.
“We have observed that the implant placed on tens of thousands of Cisco devices has been altered to check for an Authorisation HTTP header value before responding,” said security outfit Fox-IT on X.
“This explains the much-discussed plummet of identified compromised systems in recent days. Using a different fingerprinting method, Fox-IT identifies 37,890 Cisco devices that remain compromised.”
Cisco recommends that customers perform a range of checks for indicators of compromise on their systems. There are no known workarounds for the vulnerabilities apart from upgrading the software to the latest patched version.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.