Exploitation of Cisco IOS XE vulnerabilities affecting UK organisations
What has happened?
Cisco has published an updated advisory detailing two vulnerabilities affecting Cisco IOS XE devices. Both are being actively exploited.
CVE-2023-20198 – A remote, unauthenticated attacker could create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
CVE-2023-20273 – A remote, authenticated attacker could inject arbitrary commands as the root user.
The NCSC is working with UK organisations known to be impacted and have notified affected UK organisations signed up for the NCSC Early Warning service.
Who is affected?
Organisations using Cisco IOS XE devices.
The NCSC will continue to monitor the impact of these vulnerabilities on UK organisations.
What should I do?
The NCSC recommends following vendor best-practice advice to mitigate vulnerabilities. In this case, if you use Cisco IOS XE devices, you should take these priority actions:
- Check for compromise using the detection steps and indicators of compromise (IoCs) detailed in the Cisco advisory.
- If you believe you have been compromised and are in the UK, you should report it to the NCSC.
- Disable the HTTP Server feature on all internet-facing devices, or restrict access to trusted networks.
- Install the latest version of Cisco IOS XE. More information is on the Cisco website. Organisations should monitor that advisory for the latest information and software updates.
NCSC guidance, services and tools
The NCSC provides a range of free guidance, services and tools that help to secure systems:
- Follow NCSC guidance including preventing lateral movement and how to protect your administration interfaces to reduce the attack surface.
- Sign up to the NCSC Early Warning service. If you are an Early Warning user already, please check your MyNCSC portal.
- UK central government departments can take advantage of the NCSC’s host based capability.
- The vulnerability disclosure toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process.