Since the beginning of this year, Cisco has released 15 security advisories warning users of critical vulnerabilities impacting various products. Tracking these flaws, their exploitation in the wild, and any available patches can help network managers minimize their organizations’ risk and ease the pain of vulnerability management.
“Of the 1,022 vulnerabilities that make up the CISA KEV [Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities Catalog], 68 affect Cisco. That is 6% of all the list,” Mayuresh Dani, manager of threat research at IT security and compliance platform Qualys, tells Network Computing via email. “The biggest takeaways are ensuring that all these devices are up to date and making sure that only allow-listed sources alone can communicate with the devices.”
Network Computing delves into the details of a handful of some of the other most pressing Cisco bugs that have come to light this year.
IOS XE Zero-Day Bugs: CVE-2023-20198 and CVE-2023-2027
Oct. 16, Cisco first published a security advisory warning of multiple vulnerabilities impacting its IOS XE operating system if the web UI feature is enabled. CVE-2023-20273 has a CVSS score of 7.2 out of 10; CVE-2023-20198 scores 10.0. CISA has included them in its KEV Catalog. Threat actors are leveraging CVE-2023-20198 to gain initial access, and the second bug to escalate privileges.
Both bugs are being actively exploited; but a patch is available. Threat actors have been able to compromise more than 10,000 Cisco devices by exploiting these vulnerabilities, and more could be impacted if the company’s customers do not apply the released patch.
Callie Guenther, senior manager of cyber threat research at cybersecurity company Critical Start explains in emailed comments that “Specifically, unauthorized users have been observed creating accounts like ‘cisco_support,’ granting [attackers] total device control. The exploitation process relies heavily on HTTP POST requests, indicating that web protocols are a primary avenue of attack.”
Cisco recommends its customers disable the HTTP server feature on their internet-facing systems or only allow access for trusted source addresses, per the security advisory.
It took a few days for a patch for this critical vulnerability to be released. “Cisco was responsible. They went out and told of us, ‘Look, we are aware of this vulnerability, and you need to turn off these devices and get them [off] the internet,” says Martin Jartelius, CISO of Outpost24, a cybersecurity and risk management solutions company
BroadWorks SSO: CVE-2023-20238
Sep. 6, Cisco released a security advisory on the vulnerability tracked as CVE-2023-20238. This bug impacts the single sign-on (SSO) implementation of the company’s BroadWorks Application Delivery Platform and its BroadWorks Xtended Services Platform. BroadWorks is one of Cisco’s flagship offerings.
The bug has a worst-possible CVSS score of 10.0. There is a patch available, but no workarounds.
If remote threat actors have a valid user ID, they could forge credentials to access an affected system, according to the security advisory. Once access is gained, attackers could execute commands and commit toll fraud. With access to an administrator account, they could find confidential information and modify settings for customers and other users.
Cisco has released a patch for this vulnerability, and it notes in the security advisory that Cisco Product Security Incident Response Team (PSIRT) has not discovered any malicious exploitation.
SD-WAN vManage: CVE-2023-20214
July 12, Cisco released a security advisory detailing a SD-WAN VManage software vulnerability (CVE-2023-20214). The bug is in this software’s request authentication validation for the REST API. Remote attackers could exploit this vulnerability to “… to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance,” according to the security advisory. The vulnerability, which could allow attackers to exfiltrate data, has a CVSS score of 9.1.
Cisco released a patch to address the vulnerability. Cisco PSIRT has not found any malicious exploitation of the vulnerability, according the security advisory.
The company notes that there are no workarounds for this vulnerability in security advisory. But Cisco recommends network administrators “…enable access control lists (ACLs) to limit access to the vManage instance” to mitigate the risk associated with this vulnerability.
Industrial Network Director: CVE-2023-20036 and CVE-2023-20039
Cisco released a security advisory detailing the CVE-2023-20036 and CVE-2023-20039 vulnerabilities on April 19. The vulnerabilities impact Cisco Industrial Network Director (IND).
If exploited, CVE-2023-20036, given a CVSS score of 9.9, “could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected device,” according to the security advisory. Threat actors could exploit CVE-2023-20039, given a CVSS score of 5.5, to read application data.
Cisco released updates to address the vulnerabilities, and the Cisco PSIRT reported no known exploitation of the vulnerabilities, according to the security advisory. No workarounds are available for these vulnerabilities.
Small Business Routers: CVE-2023-20025, CVE-2023-20026 and CVE-2023-20118
Jan. 11, Cisco released a security advisory on three vulnerabilities: CVE-2023-20025, CVE-2023-20026 and CVE-2023-20118. These vulnerabilities impact Cisco Small Business RV016, RV042, RV042G, RV082, RV320 and RV325 routers.
CVE-2023-20025 could allow a remote attacker to gain root access to the company’s Small Business RV016, RV042, RV042G and RV082 routers. This vulnerability has a CVSS score of 9.0, according to the advisory.
CVE-2023-20026 and CVE-2023-20118 could allow attackers to execute commands on affected RV016, RV042, RV042G, RV082, RV320 and RV325 routers. These two vulnerabilities have a CVSS score of 6.5, according to the advisory.
The security advisory was last updated on March 14. No workarounds are available, and no software updates to address these vulnerabilities will be forthcoming. But Cisco did share steps administrators can take to reduce the risk associated with these vulnerabilities. The company recommends disabling remote management and blocking access to ports 443 and 60443.
The Cisco PSIRT noted that proof-of-concept exploit code is available for CVE-2023-20025 and CVE-2023-20026, but it did not know of any malicious use, according to the security advisory.
While several of the routers impacted by these vulnerabilities are end-of-life, it is likely that many businesses still used them at the time of the security advisory release.
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
