Cisco Zero-Day Exploited to Implant Malicious Lua Backdoor
Overview
Cisco has identified a critical security issue affecting its IOS XE software, specifically a zero-day vulnerability tracked as CVE-2023-20273 with a CVSS score of 7.2. This flaw is actively exploited by unknown threat actors to deploy a malicious Lua-based implant on vulnerable devices. Additionally, this zero-day was utilized in conjunction with CVE-2023-20198 (CVSS score: 10.0) to create an exploit chain.
Impact
The exploitation of these vulnerabilities poses significant risks, as it could enable an unauthenticated remote attacker to gain complete control over the affected systems. This control can lead to the compromise of routers and switches, unauthorized monitoring of network traffic, injection and redirection of network data, and the establishment of a persistent foothold within the network.
Recommended Actions
- Immediate Patching: Cisco has identified a fix that addresses both vulnerabilities. This patch will be available to customers starting on October 22, 2023. It is crucial to apply this patch as soon as it becomes available.
- Disabling HTTP Server Feature: In the interim, while waiting for the patch, it is strongly recommended to disable the HTTP server feature. This can help mitigate the risk of exploitation.
- Detection and Monitoring: Organizations are advised to monitor their network for any signs of compromise or suspicious activities. Properly log and review system activities for any unauthorized access or changes.
Affected Devices
It is estimated that more than 41,000 Cisco devices running the vulnerable IOS XE software may have been compromised. If you are using this software, take immediate action to secure your environment.
U.S. Cybersecurity and Infrastructure Security Agency (CISA)
The U.S. CISA has issued a warning about these vulnerabilities and the associated risks. Organizations are urged to take these warnings seriously and apply the necessary patches as soon as possible.
Conclusion
The exploitation of these vulnerabilities highlights the critical need for organizations to maintain the security of their network infrastructure. Prompt patching and vigilance in monitoring for suspicious activities are essential in mitigating these threats. Organizations of all sizes should act to safeguard their environments against these potentially devastating attacks.
Additional Considerations
- Identify and remediate affected devices: Organizations should identify all devices running the vulnerable IOS XE software and apply the patch as soon as possible. If devices cannot be patched immediately, they should be isolated from the network.
- Update security controls: Organizations should ensure that their security controls, such as firewalls and intrusion detection systems, are up to date and configured to detect and block attacks exploiting these vulnerabilities.
- Educate employees: Organizations should educate employees about the risks of these vulnerabilities and how to avoid falling victim to phishing attacks and other social engineering scams.
References:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
- https://thehackernews.com/2023/10/cisco-zero-day-exploited-to-implant.html?&web_view=true
- https://kokumai.medium.com/on-cisco-zero-day-vulnerabilities-8b2ebfa254f8
- https://varutra.com/ctp/threatpost/postDetails/Thousands-of-Devices-Infected-with-Malicious-Lua-Backdoor-Exploiting-Cisco-Zero-Day-Vulnerability/dk9UZFBvSHhvNzN1MUlrMDRNMTJLUT09
- https://www.bleepingcomputer.com/news/security/number-of-hacked-cisco-ios-xe-devices-plummets-from-50k-to-hundreds/