By Saeed Abbasi, Product Manager, Vulnerability and Threat Research, Qualys
Let us consider the implications of the recently discovered critical zero-day vulnerability (tracked as CVE-2023-20198) in Cisco’s IOS XE. After initial exploitation, the attacker leveraged another vulnerability within the web UI feature, using the newly created local user to gain root privileges and implant malicious code into the system. This secondary vulnerability is identified by Cisco as CVE-2023-20273. IOS XE is a flexible operating system designed to bring together wired and wireless, LAN and WAN, reducing complexity and, ironically, enhancing security. These vulnerabilities allow an attacker to create a high-privileges account on an affected device. More than 40,000 devices were infected within days and while, at the time of writing, none of these are thought to be in the GCC, this could change at any moment. Any Internet-facing network component, whether a switch, router, or other device running Cisco IOS XE Software, is at risk if the web UI feature is enabled.
Recently discovered and now under active exploit, these new flaws have been added to the CISA KEV catalog. It allows unauthorized attackers to gain remote, full-privilege access to affected devices, putting them entirely under the attacker’s control. The incident highlights a critical point: while agent-based vulnerability management tools are instrumental in monitoring and detecting potential threats on devices they’re installed on, they aren’t a cure-all. Consider network devices, such as the affected Cisco gear. These devices often don’t support agents and thus could serve as blind spots in an agent-only vulnerability management strategy. Devices with IOS XE don’t support agent installations, emphasizing the visibility challenges they present. Cybersecurity professionals are once again prompted to rethink their strategies.
Beyond Agents
A multi-faceted approach is essential for effective vulnerability management. While agents can identify suspicious activity in real-time, the Cisco situation highlights the need for actions beyond agent systems. Solely relying on agent-based solutions limits security teams from conducting a thorough risk assessment. First, as we have seen, some devices are just not set up for agents, which leads to troublesome patches of fog. For some devices, it may even be advisable not to install an agent. And then there are endpoints like off-site servers that connect to base intermittently and can fly under the radar. These devices will require proactive external scans.
When one considers the complexity of today’s IT suite — routers, switches, and physical firewalls, not to mention IoT ecosystems and operational technology (OT) — one quickly realizes the difficulty of tracking all the non-agent-supporting elements on site, as well as all those in the cloud or other remote locations. IT and security teams must account for all the assets in virtual cloud environments because agent-only solutions may only cover such infrastructure to a limited degree. It is very easy for containers, serverless functions, and other cloud-native elements to evade the spotlight. And throughout all this, even where agent-based solutions thrive, they are less reliable when it comes to detecting misconfigurations, which can present dangers as severe as any vulnerability.
Total Visibility
There is a lot to think about when reassessing the role of agents. Their monitoring of their host device is accurate but blinkered. The agent does not have access to sufficient data to come up with an external perspective on its host. To adopt the mindset of the attacker, we must have this perspective, which can only be achieved through external scans. Vulnerability management must merge agent telemetry with network scans to cover more ground and leave less places for malicious executables to hide.
The security stack must evolve to deliver unobscured, total visibility. When an SOC analyst looks at the environment, they must see everything. Every device, from on-premises routers to cloud servers, from smartphones to IoT assets. If the analyst can see all this, then accurate, real-time alerts are also possible. Following from this, teams can be proactive rather than reactive. And if the SOC has access to advanced threat intelligence, and has invested in machine learning tools, then security professionals will be able to zero in on the most critical vulnerabilities before they can be exploited.
Organizations face ever-changing risks. Relying solely on agent-based solutions can miss critical vulnerabilities. A holistic vulnerability management strategy, combining agent-based and agent-less methods, is crucial. By using varied approaches, organizations can effectively identify and counter threats. A comprehensive cybersecurity approach includes agents, network, external, and passive scans, ensuring a proactive defense against evolving cyber threats.
