Use Cisco IOS XE Software? Have You Tried Turning It Off And Burning It?

It’s Not Thousands Of Devices Vulnerable, It’s Thousands Already Infected!

Cisco and their users have two immense problems right now, and only one is the day 0 exploit that affects all devices running IOS XE software.  The second is that Cisco’s initial communications implied that it had seen the exploit used on a couple of machines when the truth is that the flaw was discovered thanks to odd behaviour on somewhere between 10,000 to 80,000 active appliances.   With numbers that high, you pretty much have to assume you are infected and someone other than you has complete and utter control over your network traffic.  Turn them off if you can, explain to your security team the repercussions if you are told you cannot.

There is no patch nor workaround to protect IOS XE software that uses the HTTP Server feature, either plain or HTTPS and so both should be disabled.  That is all nice and fine, but as more details emerge it seems unwise to assume you are safe if you do so.  This flaw has been exploited since at least September 18, giving the attacker a month to gain control over your machine.  Even if you disable the new flaw, the local user created by the attacker is still able to exploit the CVE-2021-1435 vulnerability which Cisco patched over two years ago.  To make this clear, the attacker can exploit CVE-2021-1435 even if your device is fully patched against it and has been for years.

You should never be running the HTTP Server feature on a device which is exposed to the internet, but these things happen unintentionally as well as by those ignoring best practices and thus you have your Severity 10 exploit.