Cisco Zero-day Vulnerability (16th October 2023)

On Monday 16th October 2023 Cisco released a security advisory to address the critical (10.0) rated vulnerability affecting the Cisco IOS XE Web UI which is used on many models of Cisco switches and wireless controllers. Exploitation of this vulnerability and subsequent vulnerabilities (including CVE-2021-1435 and an as yet unknown vulnerability) allows the threat actor to execute arbitrary commands including the creation of administrator level accounts allowing complete device take over. Information from Cisco appears to indicate that exploitation has been limited in scope; however, once a patch is available it is likely that additional threat actors will reverse engineer the patch and attempt to use the exploit in broader attacks.

Our recommended immediate actions are:

• Disable the HTTP/HTTPS interface for any Cisco equipment running IOS XE that is accessible from untrusted networks.
• Where wireless controllers use the captive portal function disabling this feature will also disable the captive portal, here we recommend organisations conduct a risk assessment/business impact assessment and use the outcome to establish if disabling the interface at this time is warranted.
• Conduct log review against the provided indicators of compromise.

Once a patch is available, we recommend customers immediately apply it to systems that are accessible from untrusted networks.

Customers with Palo Alto Networks Next Generation Firewalls can check for exploit of CVE-2021-1435 at Monitor > Threat and running the search query below. Note that vulnerability protection will need to be enabled to detect exploitation and the detection is only effective for attempts against the HTTP interface unless inbound traffic decryption is enabled.

(threatid eq 94454)

Cisco Talos provides further indicators of compromise in their blog post linked below, organisations who collect traffic flow logs, network switch logs, and URL logs can leverage these to establish if they have been impacted.

Our recommended long-term actions are:

• Deploy network firewalls between the management interface of all network equipment (including network switches and wireless controllers) and all other networks, permitting the minimum level of access required (ideally based on rules using user identification).
• Configure centralised logging from sources that might capture relevant indicators of compromise (network traffic flows/IDS/management activity logs).

For further information see:

• Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
• Cisco Talos Report: https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
• NCSC article on the protection of management interfaces: https://www.ncsc.gov.uk/blog-post/protect-your-management-interfaces

If you have any questions on anything included in this blog post or on the vulnerability itself, we will be more than happy to help. If you’re an existing customer, please reach out to your account manager directly. If not, there are two ways of contacting us:

• Email: enquiries@ansecurity.com
• Telephone: 0845 226 0462