top of page

Cisco Patches Exploited Zero-Day Vulnerabilities (CVE-2023-20198)

Cisco has taken swift action to address a critical vulnerability in its IOS XE software, which had been widely exploited in recent cyberattacks. In an update to its advisory, Cisco announced the release of the first set of patches to tackle this serious security issue.

The advisory outlines plans for addressing three additional versions of IOS XE in forthcoming updates, although specific release dates for these patches have not yet been disclosed.

Security researchers have revealed that tens of thousands of IOS XE devices fell victim to the attacks last week, underlining the urgency of these patches.

The primary focus of the patch is to rectify a critical privilege-escalation vulnerability, designated CVE-2023-20198, which was initially disclosed by Cisco on October 16 as a zero-day vulnerability. This vulnerability allowed malicious actors to gain initial access and create a local user account with elevated privileges, effectively enabling them to log in with normal user access.

The severity rating for CVE-2023-20198 is a maximum 10.0 out of 10.0, highlighting the gravity of the issue.

In addition to addressing the privilege-escalation vulnerability, the patch also tackles a second zero-day flaw, CVE-2023-20273, which, although less severe, still played a role in the attacks. Cisco revealed that attackers combined both vulnerabilities to bypass security measures. CVE-2023-20273 earned a severity rating of 7.2 out of 10.0, and it allowed attackers to elevate their privilege to root and deploy the malicious implant to the file system.

Cisco's IOS XE is widely used across various devices, including enterprise switches, routers, access points, and wireless controllers, making it critical to address these vulnerabilities promptly. These devices are often deployed in edge environments, making them essential components of network infrastructure across diverse industries. Paul Laudanski, Director of Security Research, Onapsis, shared tips for organizations to help them avoid becoming a victim of a zero-day attack. "CISA, the FBI, and other organizations have recently published guidance on attacks and vulnerabilities in general, adhering to monitoring, detection, and vulnerability management. Rather than just locking down access, organizations should take a step further ensuring there is a time constraint on that access. Organizations should introduce additional layers of defense while monitoring for static and dynamic access and behaviors. This includes lateral movement, privilege escalation, network access, web access, and tracking the source of origin in comparison to what is being accessed. It is also important to update your organization's threat intelligence and deploy against network monitoring, like DNS monitoring. This approach requires security practitioners who are well-versed in today's ever-evolving threat landscape and who are empowered with the tools and budget to protect their company assets.

In addition, these are the three steps to respond to zero-day attacks:

  1. Detection: Although IOS XE zero-day is a specific vulnerability making the press right now, the standard SOC-type activity includes monitoring and detecting abnormal activity and behavior. Organizations need to ensure they map out their threat landscape, internal and external, understand what endpoints are accessible externally, and ensure proper threat modeling has taken place. During this assessment, organizations can understand what to monitor and detect. Detection can use standard specific attack methods and machine learning models to pick up abnormalities.

  2. Allowlist: Identify external endpoints and lock them down if they are restricted to admin or privileged access. For devices like this, limit any admin public access to trusted IP spaces. It is far easier to manage an allowlist than it is to manage a denylist.

  3. Vulnerability management: Have a program in place not just to monitor for threats, but to actively pursue red teaming exercises on your organization's externally accessible assets, as well as understand what those assets are vulnerable to."



bottom of page