Exploit released for critical Cisco IOS XE flaw, many hosts still hacked

Public utilization codification is now disposable for nan captious Cisco IOS XE vulnerability tracked arsenic CVE-2023-20198 that was leveraged arsenic a zero-day to hack tens of thousands of devices.

Cisco released patches for astir releases of its IOS XE package but thousands of systems proceed to beryllium compromised, net scans show.

CVE-2023-20198 utilization details

Researchers astatine Horizon3.ai, a institution providing information appraisal services, person shared specifications connected really an attacker tin bypass authentication connected Cisco IOS XE devices susceptible to CVE-2023-20198.

In a technical report today, nan researchers show really hackers tin utilization nan maximum severity information rumor to create a caller personification pinch level 15 privileges that supply complete power complete nan device.

The creation of nan utilization was imaginable utilizing accusation captured from a from a honeypot group up by SECUINFRA’s team for integer forensics and incident consequence engagements.

Horizon3.ai explains that an attacker tin encode an HTTP petition to nan Web Services Management Agent (WMSA) work successful iosd - a powerful binary successful Cisco’s IOS XE that tin make nan configuration record for OpenResty (an Nginx-based server pinch support Lua scripting) utilized by nan webui work susceptible to CVE-2023-20198.

“The crux of this vulnerability is successful nan first statement of this petition POST /%2577ebui_wsma_HTTP. This clever encoding of webui_wsma_http bypasses nan Nginx matches discussed successful nan previous post and allows america to scope nan WMSA work successful iosd” - Horizon3.ai

The WSMA allows executing commands done SOAP requests, including ones that springiness entree to nan configuration characteristic that enables creating a personification pinch afloat privileges connected nan system.

Testing their utilization code, nan researchers were capable to create a caller personification pinch administrative permissions (level 15 privileges) visible successful nan device’s guidance interface.

CVE-2023-20198 utilization to create full-privilege personification connected Cisco IOS XE
source: Horizon3.ai

The researchers statement that from this constituent an attacker has afloat power complete nan instrumentality and could constitute malicious implants to disk without needing to utilization different vulnerability.

Cisco IOS XE backdoors travel alive

LeakIX, an intelligence level for exposed online services, confirmed that nan utilization that Secuinfra besides observed could successfully hijack Cisco IOS XE devices.

In addition, LeakIX's Cisco IOS XE honeypots were awoken by nan threat actors, allowing researchers to spot commands executed connected devices.

Attacker sends commands for reconnaissance purposes
source: LeakIX

In a PCAP record of nan convention shared pinch BleepingComputer, we tin spot nan attackers execute nan pursuing commands:

These are each commands that service reconnaissance purposes, to cod accusation that would lead to nan find of high-value targets

Cisco patches much IOS XE versions

Cisco has updated its information bulletin for CVE-2023-20198 connected October 30, announcing updates for IOS XE that reside nan vulnerability.

At nan infinitesimal type 17.3 of nan package is nan only 1 still affected by nan information issue, arsenic a caller merchandise is yet to go available. The institution has besides addressed nan rumor successful Software Maintenance Updates (SMUs).

The caller package releases are disposable from the company’s Software Download Center.

Thousands of devices apt still hacked

Threat actors started exploiting CVE-2023-20198 erstwhile it was a zero-day earlier Cisco disclosed it connected October 16.

Ten days aft that, nan Censys level for threat hunting recovered connected October 25 astir 28,000 Cisco IOS XE hosts showing signs of compromise dispersed each complete nan world.

According to Censys’ findings, galore of nan hacked devices are astatine awesome telecommunications and net providers offering their services country-wide.

Initial estimates aft Cisco disclosed that nan vulnerability was being exploited successful nan wild counted astir 10,000 that were moving a malicious implant.

By nan extremity of nan week, net scans showed that nan implant was coming connected astir 60,000 Cisco IOS XE devices exposed connected nan nationalist web.

The number dropped abruptly soon after, arsenic galore of nan hacked devices became invisible erstwhile nan threat character altered nan malicious codification to cheque for an Authorization header earlier responding.

Researchers astatine cybersecurity institution Fox-IT came up pinch a scanning method adjusted to nan alteration that revealed adjacent to 38,000 compromised Cisco IOS XE hosts connected October 23.