Security Roundup October 2023

October 2023: Over 40,000 Cisco devices hit with web management exploit, an attack on Okta leads to attacks on 1Password and Cloudflare, Boeing appears to have been breached, critical vulnerabilities in VMware vCenter, and more!

Over 40,000 Cisco IOS XE Devices Hit by Web UI Exploit

This month, attackers exploited a previously unknown vulnerability in the web management interface of over 40,000 Cisco routers and switches running IOS XE software.

Attackers were able to exploit a vulnerability in the Web User Interface (CVE-2023-20198) to gain privilege access level 15 to devices which had their web management interfaces open to the internet. This exploit enabled the attackers to add a local user account, which exploited a second vulnerability (CVE-2023-20273) to deploy an implant on the device.

According to Cisco’s Talos threat intelligence agency, the vendor first became aware of suspicious activity on September 28th following a customer raising a case with Cisco’s Technical Assistance Centre (TAC) regarding suspicious activity on an appliance.

To detect the presence of the implant, Cisco Talos suggests using the command provided below. Execute this command from a workstation with the appropriate access to the system you wish to check. Replace ‘systemip’ with the actual IP address of the target system.

curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"

More information can be found via Cisco’s Security Advisory here. It is advised Customers who detect an implant or malicious activity enact their incident response plans.

It is highly recommended that network admins don’t expose management interfaces to the internet. However, it appears that ISPs and MSPs may have left the web interface open due to either poor hardening or as an alternative support mechanism.

Cisco has released a patch for the vulnerability, but admins are also recommended to turn off the web interface using the commands:

Router(config)#no ip http server
Router(config)#no ip http secure-server

Or, if it is required to be enabled, lock down admin interfaces to trusted IP addresses only.

Okta Breach Leads to Attacks on Cloudflare and 1Password

Identity and access management (IAM) vendor Okta reported in a blog post that attackers had managed to breach its support ticket system and steal troubleshooting files, which could then be used to access the systems of Okta’s customers.

Okta’s helpdesk often asks for HAR files, also known as browser recording sessions, to troubleshoot browser issues. HAR files may include session tokens, which can be stolen to bypass password and multi-factor authentication mechanisms.

Following the attack, security vendors Cloudflare and 1Password disclosed that attackers had attempted to access their systems using compromised HAR files, which had been stolen from Okta. Both organisations advised that no customer data was accessed in the attempted attacks.

According to security firm BeyondTrust, they had alerted Okta to a potential breach on October 2nd after detecting attempted breaches of its systems shortly after one of their staff had shared HAR files with their service desk. They accused Okta of not acknowledging the breach for three weeks.

Okta is a popular solution for single sign-on services, allowing organisations to centralise access to their applications behind a single login service. The organisation has around 17,000 customers. The breach has impacted Okta’s share price, with the company’s stock price falling 11%.

LockBit Claims it’s Breached Boeing

The prolific ransomware gang Lockbit has claimed it has managed to exfiltrate a ‘tremendous amount’ of data from aerospace giant Boeing. The gang said it had breached the organisation after exploiting a zero-day vulnerability.

LockBit has not published evidence of a breach but has threatened to release the data if Boeing doesn’t contact them by November 2nd.

Boeing is a giant in the aerospace industry and has stated that it is currently assessing the claims. The organisation has an annual revenue of over $60bn. If LockBit’s claims are proven to be accurate, the breach could have a massive impact on the organisation.

Remote Code Execution Vulnerabilities in VMware vCenter 

VMware recently rolled out security updates to resolve a critical issue within the vCenter Server. This vulnerability could lead to the execution of remote code on affected systems. In its advisory, VMware warned, “An attacker with network access to the vCenter Server can exploit this out-of-bounds write, potentially leading to remote code execution.”

Identified as CVE-2023-34048 (CVSS score: 9.8), the problem stems from an out-of-bounds write vulnerability in the DCE/RPC protocol’s implementation.

Some of This Month’s Other Vulnerabilities:

Microsoft

In its Patch Tuesday updates, Microsoft released updates for 104 vulnerabilities, three of which are zero-days.

Two identified vulnerabilities have a critical severity rating, with a CVSSv3 score of 9.8 each. CVE-2023-35349, discovered within Microsoft Message Queuing, is classified as a remote code execution (RCE) vulnerability. This flaw potentially grants unauthorised attackers the ability to execute code on the targeted server remotely. Similarly, CVE-2023-36434 relates to a privilege escalation vulnerability detected in Windows IIS Server. Exploitation of this vulnerability could involve an attacker attempting to forcibly guess user account passwords to gain access to privileged accounts.

F5 BIG-IP

A remote code execution vulnerability has been disclosed in F5’s BIG-IP networking devices. Proof-of-concept exploits have been released for the flaws, tracked as CVE-2023-46747, which could lead to unauthenticated remote code execution. The vendor has released hotfixes to address the vulnerability.

The following versions of BIG-IP are vulnerable:

• 17.1.0
• 16.1.0 – 16.1.4
• 15.1.0 – 15.1.10
• 14.1.0 – 14.1.5
• 13.1.0 – 13.1.5

Citrix

More vulnerabilities in Citrix NetScaler ADC and Gateway products have been disclosed. These latest vulnerabilities follow from the mass exploitation of around 2000 NetScaler appliances in July and August. Google’s Mandiant reported the latest vulnerabilities, tracked as CVE-2023-4966, in a blog post on October 17th.

Impacted organisations should refer to Citrix’s security bulletin for remediation actions.

Yet another busy month!