Hot Topics
Analytics & Intelligence API Security AppSec Cloud Security Cloud Security Cybersecurity Data Privacy Data Security DevOps DevSecOps Editorial Calendar Featured Governance, Risk & Compliance Humor Identity & Access Identity and Access Management Incident Response Industry Spotlight Insider Threats IOT IoT & ICS Security Most Read This Week Network Security News Popular Post Securing the Cloud Securing the Edge Security at the Edge Security Awareness Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches Vulnerabilities Zero-Trust 

Cisco Zero-Day: As Bad as it Gets — and No Fix 4 Weeks in

by Richi Jennings on October 17, 2023
The Golden Gate Bridge, under an blood-red skyIt doesn’t get worse than this: CVE-2023-20198 is CVSS=10.

The vulnerability—Cisco’s latest in a long line—has the full trifecta: An auth bypass, granting full admin privs and from a remote location. The real scandal is that Cisco has known about it for 18 days—10 days after the earliest exploit—yet there’s still no workaround, let alone a patch!

Frankly, Cisco’s advice is classic victim blaming. In today’s SB Blogwatch, we fire up Shodan.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: STOP.

Keeping Us in Suspense

What’s the craic? Sergiu Gatlan reports—“Cisco warns of new IOS XE zero-day actively exploited”:

Still waiting for a patch
A new maximum severity authentication bypass zero-day in [Cisco] IOS XE software that lets unauthenticated attackers gain full administrator privileges and take complete control of affected routers and switches remotely. … The attacks were discovered on September 28. … Following further investigation … Cisco identified related activity dating back to September 18.

The critical vulnerability [is] tracked as CVE-2023-20198 and [is] still waiting for a patch. … “We are working non-stop to provide a software fix,” [said] Cisco’s Director for Security Communications Meredith Corley.

AWS Builder Community Hub

So it’s been going on for four weeks! How bad is it? Here’s Jai Vijayan—“No patch or workaround is currently available for the maximum severity flaw”:

Especially valuable for attackers
[It’s] a privilege escalation issue that enables complete device takeover. Cisco has assigned the vulnerability a maximum possible severity rating of 10 out of 10 on the CVSS scale.

IOS XE is the operating system that Cisco uses for its next-generation enterprise networking gear. … Zero-day bugs … that enable administrator level privileges on network technologies … are especially valuable for attackers. As … CISA and numerous others have noted, network routers, switches, firewalls, load balancers, [etc.] are ideal targets because most or all traffic must flow through them.

But surely nobody would be daft enough to expose their web UI to the internet, right? Um, about that, says Mayuresh Dani:

Based on my searches using Shodan, there are about 40,000 Cisco devices that have web UI exposed to the internet.

Ugh. Sounds like jpc0’s dazed: [You’re fired—Ed.]

I mean, a 0-day is always bad, specially a high severity one, but … the first thing I thought [was] why was it accessible from the public internet? All critical hardware’s management plane should only be accessible from a hardened jump box.

But what if you really need to admin it remotely? multimediavt advises thuswise:

Leave it LAN only access and if you need to admin something, you do it from a certificate-based VPN connection—not poking holes in a firewall.

It’s Zero Trust month here on Security Boulevard. 42656e4d203239 runs the numbers:

So there isn’t a vulnerability when exposed to trusted networks? The vulnerability doesn’t go away just becasue you are connected to not(“The Internet” or “untrusted network”) — it’s still there and exploitable.

I thought the idea was to assume everything is a threat? You never know when a Trojan might be present on your intranet and happily creating level 15 access to your routers because you trusted the intranet.

This sort of thing makes it easier for the feds. Meme alleges an allegation:

[I’m] having a harder and harder time assuming this is yet another innocent mistake.

What a mess. Trust gweihir not to mince words:

Buy crappy devices, get crappy security. At this time anybody should really stay away from Cisco.

Meanwhile, jacquesm feels a whole heap of déjà vu:

It’s interesting how, when I see a headline like this one, my first response is, ‘Oh, I already saw that.’ And then I realize that it’s Cisco and it may well be another one even though the previous one is only a very short while ago.

And Finally:

Hammertime

Content warning: Some spicy language, Aaron Carter, Frosty The Snowman in October.

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Umer Sayyam (via Unsplash; leveled and cropped)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , , , , , , , , , , , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 525 posts and counting.See all posts by richi