Featured in this episode of Tech News of the Week
To quote a great philosopher, “A 10! A 10, I give it a fuckin’ 10!” A CVE with a 10. That’s the worst kind, friend! A 10 means that this is not only devastating in its effect, but also “relatively easy to exploit.” Which, in parlance, means script-kiddie-palooza.
CVE-2023-20198, which, and I can’t emphasize this enough, carries the maximum severity rating of 10, was announced last Monday the 15th of October. It was also announced fixed, but then it was re-announced as unfixelated (technical term).
The bug resides in the Web User Interface of Cisco IOS XE software which can be trivially exploited when exposed to the Internet or untrusted networks. This means that any switch, router, or wireless LAN controller running IOS XE that has the HTTP or HTTPS Server feature enabled and is exposed to the Internet is vulnerable.
Now I know what you’re thinking, it would be insane for a service like that to be exposed to the Internet! Surely all customers are using private and inaccessible VLANs for management, right? Wellllll….. No. On Monday the 22nd, the Shodan search engine showed that as many as 80,000 Internet-connected devices could be affected. For that reason, Talos recommends that even if you THINK you don’t have any IOS XE on the network that you should just go ahead and double check.
Also… update your stuff. The new, new updates are now available.