Another Day, Another Exploit
October 20, 2023
When someone says “look at that ten” I kinda hope they’re talking about me and not about the latest Cisco exploit (CVE-2023-20198).
This one seems bad. It’s an easy to implement exploit, and the vulnerability is likely present on public facing routers.
With BackBox IntelliChecks you can easily detect this vulnerability (and mitigate it if you chose to do so).
It’s being reported that this vulnerability is being actively exploited, so you might even like to download the free BackBox trial and use the product to get this one patched (even if you’re not a customer).
You can use the video below that walks you through step-by-step how to find and remediate this vulnerability.
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
There’s no update available yet to patch this, but the mitigation recommendation is to turn off the HTTP Server on all internet-facing systems.
It’s worth reading Cisco’s security advisory because it tells you the details of how to determine if you’re vulnerable or have been compromised.
The BackBox Solution
We wrote an IntelliCheck that checks Cisco devices to determine if they’re vulnerable. If they are, we can apply the mitigation mentioned in the Cisco security brief. Basically, we’ve automated what Cisco says to do in their security advisory.
If you want to download the IntelliCheck signatures that find and remediate this vulnerability you can get do so from our Customer Center Knowledge Base (you don’t have to be a customer to do so).
IntelliChecks are context-aware automations that have the possibility of remediation. You can run it against your whole network and it’ll only run on appropriate Cisco devices.
Once run, you can automatically remediate or create a report to show where you’re vulnerable. If you’re not auto-remediating, the report can be used as a plan to go in and manually remediate the vulnerability.
In fact, it’s likely you’d want create that report even if you’ve remediated the vulnerability to share with compliance and security teams so that they know you’ve fixed the issue.
In the video above we walk you through step-by-step how to import the signatures you downloaded from our support center, and run them to find and remediate the vulnerability. You’ll note that we setup a second job for remediation when it could have been part of the first. We did that to make the video instructions super clear, and because sometimes people want to do remediation during a maintenance window but want to know if they’re exposed right away.