S-RM has identified an active exploitation of a critical vulnerability affecting Cisco IOS XE products. Cisco IOS XE is an operating system used on Cisco networking appliances such as routers and switches.
On 16 October 2023, NIST published the vulnerability (CVE-2023-20198) and assigned it a criticality score of CVSS 10, the highest level of criticality possible. Given the widespread use of Cisco IOS XE products, we assess that this vulnerability could have a significant impact and could become widely exploited by threat actors to gain access to client environments. According to Cisco, this vulnerability has been actively exploited in the wild since 18 September 2023. Additional details can be found here.
Currently there is no patch for this vulnerability.
We recommend that if your organisation uses Cisco appliances running IOS XE, you urgently confirm whether these appliances have or have had the HTTP or HTTPS interface enabled. If these interfaces are enabled, and the appliance is publicly accessible from the internet, we recommend that you immediately disable both HTTP and HTTPS interfaces.
Furthermore, Cisco have identified several indicators of compromise associated with the exploitation of this vulnerability. If you do or did have Cisco IOS XE products publicly exposed since 18 September 2023, you should search for these indicators to confirm that your appliance has not already been compromised. This includes:
1. Any suspicious activity from these accounts:
- cisco_tac_admin
- cisco_support
- any other unrecognised account
2. Activity originating from the following IP addresses.
- 5.149.249[.]74
- 154.53.56[.]231
3. The file: cisco_service.conf (potentially located at the following path: /usr/binos/conf/nginx-conf/cisco_service.conf)
- The presence of the file name cisco_service.conf on the relevant appliance.
- Reference to the cisco_service.conf file name in any logs on the appliance.
4. Suspicious activity in the system logs.
- “%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line”
- This entry would be recorded in the system logs if a user accesses the HTTP/S interface from the internet. If present, verify whether it is expected or not.
- “%SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success”
- This entry would be recorded in the system logs if a user successfully logged in through the interface. If present, verify whether the user account and IP address are legitimate and expected.
- “%WEBUI-6-INSTALL_OPERATION_INFO: “
- This entry would be recorded in the system logs if any files were successfully installed on the system. Review which files are listed in the specific entry and confirm whether they are legitimate and expected.
If you identify any of these indicators of compromise on your network, or would like any advice on how to remediate a compromise, please reach out to our incident response hotline at cyberir@s-rminform.com.
