-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #679 from DIVD-NL/cisco-ios-xe
Cisco IOS-XE casefile
- Loading branch information
Showing
1 changed file
with
58 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| --- | ||
| layout: case | ||
| title: Global Cisco IOS-XE (CVE-2023-20198) Implants | ||
| excerpt: "An unknown threat actor is using a recent authentication bypass vulnerability (CVE-2023-20198) on Cisco IOS-XE to backdoor Cisco appliances worldwide. " | ||
| author: Max van der Horst | ||
| lead: Ralph Horn, Max van der Horst | ||
| researchers: | ||
| - Ralph Horn | ||
| - Max van der Horst | ||
| cves: | ||
| - CVE-2023-20198 | ||
| product: | ||
| - Cisco IOS-XE | ||
| versions: | ||
| - All versions of Cisco IOS-XE | ||
| recommendation: Disable the Cisco WebUI and remove all management interfaces from the public Internet. If you have found an implant, consider starting your Incident Response procedure. | ||
| patch_status: patch unavailable | ||
| workaround: Disable HTTP(S) management interface access or implement an Access Control List. | ||
| status : Open | ||
| start: 2023-10-17 | ||
| end: | ||
| timeline: | ||
| - start: 2023-10-17 | ||
| end: | ||
| event: "DIVD starts researching CVE-2023-20198." | ||
| - start: 2023-10-17 | ||
| end: | ||
| event: "DIVD takes note of growing level of implants." | ||
| - start: 2023-10-18 | ||
| end: | ||
| event: "DIVD starts scanning for implants." | ||
|
|
||
| # You can set IPs to n/a when this case isn't about IPs (e.g. stolen credentials) | ||
| --- | ||
| ## Summary | ||
|
|
||
| On October 16th, Cisco disclosed an authentication bypass vulnerability affecting Cisco IOS-XE appliances with CVE-ID CVE-2023-20198. An unknown threat actor is actively placing implants on the vulnerable appliances worldwide. This is a serious situation as implants allow threat actors to monitor traffic, gain access to the underlying system and move into protected networks. For additional guidance, please find the Cisco PSIRT advisory at the bottom of this page. | ||
|
|
||
| ## Recommendations | ||
|
|
||
| No patch is currently available, therefore disable HTTP(S) access to any management interfaces if possible. If HTTP(S) access is required, implement an Access Control List to limit access. | ||
|
|
||
| ## What we are doing | ||
|
|
||
| DIVD is scanning for implants on public-facing systems. Owners of such systems will receive a notification with this casefile and remediation steps. | ||
|
|
||
|
|
||
| {% comment %} Leave this here, so we see a timeline {% endcomment %} | ||
| {% include timeline.html %} | ||
|
|
||
|
|
||
| ## More information | ||
|
|
||
| * [CVE-2023-20198](https://nvd.nist.gov/vuln/detail/CVE-2023-20198) | ||
| * [VulnCheck Blog](https://vulncheck.com/blog/cisco-implants) | ||
| * [Talos Blog](https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/) | ||
| * [Cisco Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) | ||
|
|