Cisco Sets Imminent Date For IOS XE Patch

The company says it’s planning on Oct. 22 to release a patch to fix the critical vulnerability as well as a second zero-day flaw that’s been exploited in attacks.


Cisco said Friday it will release a patch for the critical zero-day IOS XE vulnerability on Oct. 22, and disclosed details on another previously unknown flaw that has played a role in the attacks.

The second zero-day vulnerability comes with a lower severity rating but has also been exploited in the widespread attacks against IOS XE customers, Cisco said in an update to its advisory.

[Related: Hackers Hit The IT Industry: 12 Companies Targeted In 2023]

Sponsored post

The fixes that are planned for release on Oct. 22 will address both of the zero-day vulnerabilities in Cisco’s widely used IOS XE networking software platform.

Researchers say tens of thousands of IOS XE devices have been compromised in the attacks this week. Cybersecurity firm Censys said Thursday that it appears the number of infected devices had peaked—at roughly 42,000—and the number of compromised devices is now declining as administrators take recommended measures.

The ETA for the patch addresses one of the many unanswered questions about the IOS XE attacks. And there’s also now a clearer picture of the attack chain used by threat actors to target IOS XE customers, thanks to Cisco’s update Friday.

“Through ongoing investigation, we uncovered the attacker combined two vulnerabilities to bypass security measures (the first for initial access and the second to elevate privilege once authenticated),” the company said in a statement provided to CRN.

“We have now identified a fix that covers both vulnerabilities and estimate initial releases will be available to customers starting October 22,” Cisco said.

First disclosed Oct. 16 by Cisco as a zero-day vulnerability, the original flaw enables a malicious actor to “gain initial access and issued a privilege 15 command to create a local user and password combination,” the company said in its advisory. “This allowed the user to log in with normal user access.”

The vulnerability (tracked as CVE-2023-20198) has been awarded the maximum severity rating, 10.0 out of 10.0.

The newly disclosed vulnerability, tracked as CVE-2023-20273, has received a severity rating of 7.2 out of 10.0, Cisco said. Utilizing the flaw, “the attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system,” the company said.

Widespread Impact

Along with widely used enterprise switches in the Cisco Catalyst 9000 line, IOS XE also is used to run numerous other types of devices, many of which often run in edge environments. Those include branch routers, industrial routers and aggregation routers, as well as Catalyst 9100 access points and “IoT-ready” Catalyst 9800 wireless controllers.

The Cisco IOS XE attacks are on track to be one of the most significant attacks against IT hardware of the year, perhaps rivaling only the Barracuda Email Security Gateway attacks from mid-2023, said Caitlin Condon, head of vulnerability research at cybersecurity vendor Rapid7.

Cisco has said that an access restriction measure it has shared is effective at stopping exploits of the vulnerability in IOS XE.

The company has “high confidence” that “access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation,” Cisco said in an update to its advisory Oct. 17.

Lingering Questions

As part of the IOS XE attacks, the implants installed by threat actors do not have what’s known as “persistence” on a device, meaning that it’s eliminated when a device is rebooted.

However, the accounts created by attackers are not removed, raising the question of whether they may continue to have administrator access even after a reboot.

And because the full attack chain is still unknown, a big question is whether a device can easily be re-compromised, Rapid7’s Condon told CRN. “Can it be re-implanted?”

In the intrusion investigated by Rapid7 researchers, the team has identified some variation in the techniques used, Condon noted. Additionally, the researchers also determined that in a few cases, a customer environment was exploited multiple times in the same day. The findings were disclosed in a post from Condon on the Rapid7 blog earlier this week.

“We can’t say for sure that this might be more than one threat actor, but that’s something that’s on our mind,” she told CRN. “It’s possible.”

Attribution TBD

There’s been no attribution for the attacks so far and little evidence about what the threat actor, or threat actors, are trying to accomplish.

“I’m sure that eventually, whether it takes weeks or longer, we’re going to have [an attribution] and what we think they were after,” Condon said. “I’m sure we’re going to see country names in some of these articles.”

In all likelihood, “we’re going to learn that this is a skilled attacker who had orchestrated this action, whether it’s one attacker or multiple who were using similar techniques,” she said.