Cisco has released fixes to address two vulnerabilities – CVE-2023-20198 and CVE-2023-20273 – that hackers exploited to compromise tens of thousands of IOS XE devices.
CVE-2023-20198 could allow a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. CVE-2023-20198 has been assigned a CVSS Score of 10.0.
CVE-2023-20273 could enable a remote, authenticated attacker to inject arbitrary commands as the root user. CVE-2023-20273 has been assigned a CVSS Score of 7.2.
The UK National Cyber Security Centre (NCSC) urged organisations to mitigate the Cisco IOS XE vulnerabilities and follow vendor best practices. The NCSC said it is working with UK organisations known to be impacted and has notified affected business signed up for the NCSC Early Warning service.
Vulnerabilities affect Cisco IOS XE Software if web UI feature is enabled
CVE-2023-20198 and CVE-2023-20273 affect Cisco IOS XE Software if the web UI feature is enabled, Cisco said in its advisory. The web UI is an embedded GUI-based system-management tool that provides the ability to provision the system, to simplify system deployment and manageability, and to enhance the user experience. The web UI feature is enabled through the ip http server or ip http secure-server commands.
“Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses,” the company wrote. “To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode.” If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature, Cisco added.