CVE-2023-20198 and CVE-2023-20273
Pay attention CISCO device users
In this week's newsletter I decided to shed light on the recent vulnerability which is being exploited on CISCO devices.
I am subdividing the reading to cater to all starting from Cyber security beginners, executive briefs, and finally problem-solving.
Cybersecurity Beginner
Let’s begin with the following:-
CVE: this stands for Common Vulnerability and Exposures, basically when a new weakness is found(Zero-day), it is assigned a number for easy identification by everyone, this is called the CVE number.
In this case, a weakness was detected on Cisco devices with IOS XE( which is the operating system Cisco devices use), where hackers were using it to grant themselves the highest power on the network(super user or high privileges).
When that is done he is able to do anything in the network, From deleting user accounts to setting up other users.
Executive Brief
On September 28, 2023, an attack was identified that affects Cisco ios xe which is the operating system Cisco devices use. Attackers are utilizing the web connection(http or https), when this attack is performed, it increases the privileges of the attacker to the point that he can do anything in the network. Currently the best way to stop this attack is to disable web access. My opinion on the matter would be to disable this feature till a proper security patch is offered by the vendor.
Problem Solving
As a security analyst cisco talos intelligence provided some malicious IPs to blacklist and user accounts to search for.
The following are the IP addresses:-
5.149.249.74
154.53.56.231
154.53.63.93
The following are users to check for:-
cisco_tac_admin
cisco_support
cisco_sys_manager
If symptoms persist, disable the HTTP and HTTPS on your Cisco device till a patch arrives.