Cisco has published a security advisory warning of a critical privilege
elevation vulnerability in its IOS XE Software web user interface (UI).
The flaw (CVE-2023-20198) is being actively exploited to gain full admin
privileges. There is currently not a patch available for the
vulnerability; Cisco is urging users to disable the HTTP Server feature
on all internet-facing systems.
Never ever expose these admin interfaces to the public internet. It
is sad how no vendor is able to apply secure coding practices to these
high risk applications. Instead of "shift left", this feels more like
"shift right for the customer to secure".
First thing: eliminate Internet access to your Cisco devices
management interfaces, ideally to management networks with very limited
access. For those of you in the federal space, that should have been
part of implementing BOD-23-02. For the rest of us, quick like a bunny,
get that taken care of. Exploiting this flaw allows a remote
unauthenticated attacker to create an administrator account with level
15 privileges, which can be used to take over the device.
As someone who knows how to operate old-school Cisco gear, don’t
use the WebUI on IOS XE. Unless there is some weird vManage (Viptela)
requirement, this is just… no, bad. Turn off. No. That’s all I have to
say. I’m sure there are tons of issues with it. There must be; who uses
this?
Yet another example of why you should not have your web management
interface exposed onto the internet. If you do you are hoping that a
critical vulnerability is never discovered or exploited. It is much
better to have access to the web management interface restricted to
internal IP addresses accessible via a VPN.
This is a dangerous vulnerability – zero day and CVSS score of 10.
Heed Cisco’s mitigation guidance and be ready to implement the software
update once it becomes available.
Read more in:
- sec.cloudapps.cisco.com: Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
- blog.talosintelligence.com: Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability
- arstechnica.com: Actively exploited Cisco 0-day with maximum 10 severity gives full network control
- www.bleepingcomputer.com: Cisco warns of new IOS XE zero-day actively exploited in attacks
- nvd.nist.gov: CVE-2023-20198 Detail
No comments:
Post a Comment