Whack-A-Mole: The Cisco IOS XE Software Vulnerabilities Edition

Unpack the latest cybersecurity saga involving two vulnerabilities in Cisco’s IOS XE Software. With one patch released and more on the way, it’s a high-stakes game of Whack-A-Mole.

Hot Take:

Oh boy, it’s the tech version of “Whack-A-Mole” again! We’ve got two pesky vulnerabilities, CVE-2023-20198 and CVE-2023-20273, causing a ruckus in Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI). Cisco’s been on the case, patching up the 17.9 release train with the 17.9.4a update. But don’t celebrate yet; we’re still waiting on the fixes for the 17.6, 17.3, 16.12 release trains. CISA’s advice? If you’re on the 17.9 train, update to the 17.9.4a release pronto. And now, in a fun twist, a vulnerability that was initially implicated in the drama, CVE-2021-1435, has been given a clean bill of health by Cisco. It’s like a cyber soap opera, only with more acronyms.

Key Points:

  • CISA has updated its guidance on two vulnerabilities affecting Cisco’s Internetworking Operating System (IOS) XE Software Web UI: CVE-2023-20198 and CVE-2023-20273.
  • Cisco has patched these vulnerabilities for the 17.9 Cisco IOS XE software release train with the 17.9.4a update, but fixes for the 17.6, 17.3, 16.12 release trains are still pending.
  • Organizations on the 17.9 release train are urged to update to the 17.9.4a release immediately.
  • Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities Catalog, mandating federal agencies to remediate these identified vulnerabilities by the specified due date.
  • The vulnerability “CVE-2021-1435” initially indicated in the Cisco Security Advisory is no longer associated with this activity.

The Back Channel:

"Patchy Business"

It's been a busy week at Cisco as they scramble to patch up vulnerabilities in their IOS XE Software. The 17.9 release train got a tune-up with the 17.9.4a update, but those on the 17.6, 17.3, 16.12 release trains are still waiting at the station.

"Updating in Progress..."

If you're on the 17.9 release train, CISA's advice is simple: stop reading this and update to the 17.9.4a release. Now. We'll wait. Done? Good. You're now protected from two vulnerabilities that have been making headlines.

"False Alarm!"

In a plot twist worthy of a prime-time drama, the villainous CVE-2021-1435 vulnerability has been exonerated. Initially fingered as part of this security hullabaloo, it has since been given the all-clear by Cisco. Can't wait for the next episode!
Tags: CISA guidance, Cisco IOS XE Vulnerabilities, CVE-2023-20198, CVE-2023-20273, Federal Civilian Executive Branch, Known Exploited Vulnerabilities Catalog, Software Update