Software

Following discovery of IOS XE vulnerability, Cisco reviews what to turn off and how

Some network advice: Only turn on what you need.
article cover

Francis Scialabba

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

On tough days, a network admin’s job is a lot of unplugging.

Cisco has advised IOS XE software customers to go around the house and “disable the HTTP/S server feature on internet-facing systems,” after discovering that devices have been exploited by a vulnerability associated with its web UI feature.

Though a fix is in the works and could be ready as soon as October 22, company spokesperson Carro Halpin said in an email to IT Brew on Friday, an unpatched exploit allows an attacker to create an account with “level 15” access privileges; such admin-level power enables control over a compromised device, according to a vendor bulletin published on October 16.

Products supported by IOS XE include enterprise switches, wireless controllers, and aggregation routers.

Admin access to a networking product gives hackers a host of options, Andy Richter, enterprise networking practice director at the IT services provider Presidio, told IT Brew.

“They can make changes to the configuration of the running state of the device,” Richter said. “They can change the software version that is running audits, potentially. They can reboot the device, and they can see any of the telemetry or logs or other information live on the device.”

What to do: The web UI feature, an embedded, GUI-based system that supports functions like provisioning, “is enabled through the “ip http server” or “ip http secure-server” commands”—which Cisco had advised IOS XE users on Oct. 16 to search for and shut down.

A security advisory that Cisco sent the same day reviewed indicators of compromise, along with the command steps required to find out if a system has the HTTP Server feature enabled. (To disable the HTTP Server option, “use the “no ip http server” or “no ip http secure-server” command in global configuration mode,” the company said).

In an emailed statement IT Brew received on Oct. 18 from Halpin, the company said, “We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory. Cisco will provide an update on the status of our investigation through the security advisory.”

Take what you need and leave the rest (unplugged): Patch or no patch, Richter recommends isolating management functions, scanning for vulnerabilities, and disabling nonessential features as important safeguards against zero-day, network-specific threats.

“If you don’t need the web server enabled on your switcher, or your router, or your other infrastructure, turn it off,” Richter told us.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.