this is a follow-up from yesterdays post : https://www.wilderssecurity.com/thr...onses-and-notices.344369/page-31#post-3167456 1. BleepingComputer: Over 10,000 Cisco devices hacked in IOS XE zero-day attacks October 17, 2023 https://www.bleepingcomputer.com/ne...co-devices-hacked-in-ios-xe-zero-day-attacks/ 2. VulnCheck Widespread Cisco IOS XE Implants in the Wild October 17, 2023 https://vulncheck.com/blog/cisco-implants Read more at those articles! There are more on the internet.
Cisco Security Advisory - Critical Cisco IOS XE Software Web UI Privilege Escalation Vulnerability https://sec.cloudapps.cisco.com/sec...dvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
Censys https://censys.com/cve-2023-20198-cisco-ios-xe-zeroday/ CVE-2023-20198 – Cisco IOS-XE ZeroDay You can see there a list of the most infected countries.
See also the post by Ron: CISA Adds Two Known Exploited Vulnerability to Catalog https://www.wilderssecurity.com/thr...ed-vulnerabilities.441780/page-6#post-3167972
"Cisco Rolling Out Fix for Critical Software Bug on Oct. 22 The patch fixes a serious flaw in Cisco's IOS XE software, which targets the company’s routers, switches, and wireless controller products... Customers can expect Cisco to roll out the patch on Sunday, Oct. 22, the company said in an updated advisory. In addition, the vendor has identified a second flaw that hackers have been abusing to hijack affected Cisco devices..." https://www.pcmag.com/news/cisco-rolling-out-fix-for-critical-software-bug-on-oct-22
"Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature - CVE-2023-20198 - CVE-2023-20273 Advisory ID: cisco-sa-iosxe-webui-privesc-j22SaA4z First Published: 2023 October 16 15:00 GMT Last Updated: 2023 October 20 16:43 GMT Version 1.3: Interim Workarounds: No workarounds available Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in IOS-XE. A fix has been identified and the build, test, and release process has been initiated. The first fixed software releases are estimated to post on Cisco Software Download Center on Sunday, 22 October 2023. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. " https://sec.cloudapps.cisco.com/sec...dvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z Read there more!
https://sec.cloudapps.cisco.com/sec...dvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z At the moment I don't see yet that article updated. But it is still 22 Oct 2023. Let us know if\when there is an update, a fix released, more news etc.
https://sec.cloudapps.cisco.com/sec...dvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z Article Last Updated: 2023 October 22 16:45 GMT Version 1.4: Interim Scroll down to Fixed Releases. You will see there a table of versions fixed as for now. ===== Software Fix Availability for Cisco IOS XE Software Web UI Privilege Escalation Vulnerability - CVE-2023-20198 Updated:October 22, 2023 https://www.cisco.com/c/en/us/suppo...-software-fix-availability-for-cisco-ios.html That site has a much more detailed list.
BleepingComputer Number of hacked Cisco IOS XE devices plummets from 50K to hundreds By Lawrence Abrams - October 22, 2023 https://www.bleepingcomputer.com/ne...ios-xe-devices-plummets-from-50k-to-hundreds/
The article at BleepingComputer has been updated on 12:16 PM, EDT about the "mysteriously plummets from over 50,000 impacted devices to only a few hundred". See reply # 10 here in this thread.
Some more about the "mysteriously plummets from over 50,000 impacted devices to only a few hundred". 1. PC Mag UK - Oct 23, 2023 Group Behind Cisco Device Hijackings Changes Tactics to Evade Detection https://uk.pcmag.com/security/14927...hijackings-changes-tactics-to-evade-detection 2. Fox-IT https://github.com/fox-it/cisco-ios-xe-implant-detection Read there more!!
Several articles have been updated: 1. Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature https://sec.cloudapps.cisco.com/sec...dvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z Last Updated: 2023 October 23 19:59 GMT Version 2.0: Interim Scroll down for Version history. 2. Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ 3. Hackers update Cisco IOS XE backdoor to hide infected devices https://www.bleepingcomputer.com/ne...sco-ios-xe-backdoor-to-hide-infected-devices/ Read there more! And the new curl command is given.
Fox-IT https://github.com/fox-it/cisco-ios-xe-implant-detection Last updated on 24 Oct 2023 There is an Alternate method for Cisco IOS XE implant scanning given.
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature https://sec.cloudapps.cisco.com/sec...dvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z Last updated 2023 October 25 18:01 GMT Version 2.1 Version History (scroll down): Version 2.1 Desciption: Updated summary to indicate SMU availability. Updated fixed software with SMU availability table. Section: Summary, Fixed Software Status: Interim Date: 2023-OCT-25
Censys Cisco IOS XE: Ten days later October 26, 2023 https://censys.com/cisco-ios-xe-ten-days-later/ Read there more.
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature https://sec.cloudapps.cisco.com/sec...dvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z There were two updates : version 2.2 and 2.3 For the Revision History scroll down there. It gives: version number, description, section, status, date.
And here are my info posts stopping from https://sec.cloudapps.cisco.com/sec...dvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z Suddenly you need to log on there. Cisco don't want the world to know about all the issues ... ?
Fox-IT https://github.com/fox-it/cisco-ios-xe-implant-detection Last updated on 31 Oct 2023 Read there more.
