Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,588
- Points
- 113
Experts record a sharp decline in the number of infected devices, but there is a catch.
Cisco has started to address two critical zero-day vulnerabilities (CVE-2023-20198 and CVE-2023-20273), which we already reported a few days ago. Security flaws have been actively exploited by attackers over the past week to successfully hack more than 50 thousand Cisco IOS XE devices.
Cisco tracks both vulnerabilities under the identifier "CSCwh87343", and they are located in the web interface of devices running IOS XE software. CVE-2023-20198 has a maximum severity rating of 10/10 on the CVSS scale, while CVE-2023 — 20273 is assigned 7.2 points.
The company announced that it has fixed vulnerabilities in the release of IOS XE 17.9.4 a, which can be downloaded and installed from the official Cisco website. Later updates will be released for versions 17.6, 17.3, and 16.12.
The network hardware vendor reports that the attackers first exploited a critical vulnerability to access the device, and then "executed a command with privilege 15" to create a regular local account.
On Cisco devices, permissions for issuing commands are limited to levels 0 to 15, with 0 providing the five main commands (log out, enable, disable, help, and log out), and 15 being the most privileged level that provides full control over the device.
Attackers were able to increase the privileges of the newly created local account to the "root" level by exploiting CVE-2023-20273, and then added a malicious script to the file system.
Cisco warns that both vulnerabilities can be exploited by hackers if the web interface function (HTTP server) is enabled, which is possible using the "ip http server" or "ip http secure-server" commands.
Administrators can check whether the feature is active by running the "show running-config | include ip http server|secure|active" command to check the global configuration for the ip http server or the ip http secure server commands.
"The presence of one or both commands in the system configuration indicates that the web interface feature is enabled," Cisco says.
After disclosing information about CVE-2023-20198, researchers began to search for infected devices on the Internet. Over the weekend, the number of hacked devices plummeted from 60,000 to several hundred. The reason for this sharp drop, according to researchers from Fox-IT, is that the malicious code on tens of thousands of devices "was changed to check the value of the HTTP authorization header before responding," and that the actual number of infected devices did not actually change.
Researchers advise administrators of IOS XE systems to check their devices for malicious code, as well as to update them to the latest version without fail.
Cisco has started to address two critical zero-day vulnerabilities (CVE-2023-20198 and CVE-2023-20273), which we already reported a few days ago. Security flaws have been actively exploited by attackers over the past week to successfully hack more than 50 thousand Cisco IOS XE devices.
Cisco tracks both vulnerabilities under the identifier "CSCwh87343", and they are located in the web interface of devices running IOS XE software. CVE-2023-20198 has a maximum severity rating of 10/10 on the CVSS scale, while CVE-2023 — 20273 is assigned 7.2 points.
The company announced that it has fixed vulnerabilities in the release of IOS XE 17.9.4 a, which can be downloaded and installed from the official Cisco website. Later updates will be released for versions 17.6, 17.3, and 16.12.
The network hardware vendor reports that the attackers first exploited a critical vulnerability to access the device, and then "executed a command with privilege 15" to create a regular local account.
On Cisco devices, permissions for issuing commands are limited to levels 0 to 15, with 0 providing the five main commands (log out, enable, disable, help, and log out), and 15 being the most privileged level that provides full control over the device.
Attackers were able to increase the privileges of the newly created local account to the "root" level by exploiting CVE-2023-20273, and then added a malicious script to the file system.
Cisco warns that both vulnerabilities can be exploited by hackers if the web interface function (HTTP server) is enabled, which is possible using the "ip http server" or "ip http secure-server" commands.
Administrators can check whether the feature is active by running the "show running-config | include ip http server|secure|active" command to check the global configuration for the ip http server or the ip http secure server commands.
"The presence of one or both commands in the system configuration indicates that the web interface feature is enabled," Cisco says.
After disclosing information about CVE-2023-20198, researchers began to search for infected devices on the Internet. Over the weekend, the number of hacked devices plummeted from 60,000 to several hundred. The reason for this sharp drop, according to researchers from Fox-IT, is that the malicious code on tens of thousands of devices "was changed to check the value of the HTTP authorization header before responding," and that the actual number of infected devices did not actually change.
Researchers advise administrators of IOS XE systems to check their devices for malicious code, as well as to update them to the latest version without fail.
