Today, CISA updated its guidance addressing two vulnerabilities, CVE-2023-20198 and CVE-2023-20273, affecting Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI).
The guidance now notes that Cisco has fixed these vulnerabilities for the 17.9 Cisco IOS XE software release train with the 17.9.4a update. According to Cisco’s Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature, fixes are still to be determined for the following Cisco IOS XE software release trains: 17.6, 17.3, 16.12 (Catalyst 3650 and 3850 only). CISA urges organizations with the 17.9 Cisco IOS XE software release train to immediately update to the 17.9.4a release.
CISA urges organizations to review:
- CISA’s updated guidance
- Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
- Cisco Talos blog: Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
CISA has added CVE-2023-20198 and CVE-2023-20273 to its Known Exploited Vulnerabilities Catalog, which, per Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date to protect FCEB networks against active threats.
Note: The Cisco Security Advisory initially pointed to another vulnerability as part of this activity. However, as stated in the Cisco Talos blog, Cisco has since determined that the vulnerability “CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity.”