CISA Updates Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities With Additional Releases
Defend Edge – admin
The Cybersecurity and Infrastructure Security Agency (CISA) has updated its guidance regarding two vulnerabilities, namely CVE-2023-20198 and CVE-2023-20273, that affect Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI).
The updated guidance states that Cisco has addressed these vulnerabilities in the 17.6 software release train by releasing the 17.6.6a update.
However, fixes for the vulnerabilities in the 17.3 and 16.12 software release trains are yet to be determined, specifically for Catalyst 3650 and 3850.
Cisco had previously fixed the issue in the 17.9 release (17.9.4a) on October 22.
CISA advises organizations with the 17.9 and 17.6 software release trains to promptly update to the 17.9.4a and 17.6.6a releases, respectively.
CISA also encourages organizations to review the following resources:
– CISA’s updated guidance
– Cisco Security Advisory regarding multiple vulnerabilities in the Cisco IOS XE Software Web UI Feature
– Cisco Product Support for the availability of software fixes related to the Cisco IOS XE Software Web UI Privilege Escalation Vulnerability (CVE-2023-20198)
– Cisco Talos Threat Advisory on the active exploitation of vulnerabilities in the Cisco IOS XE Software Web Management User Interface
Furthermore, CISA has included CVE-2023-20198 and CVE-2023-20273 in its Known Exploited Vulnerabilities Catalog as of October 16, 2023, and October 23, 2023, respectively.
As per Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by the specified due date in order to protect their networks against active threats.
Link: https://defendedge.com/alerts/cisa-updates-guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities-additional-releases/