There's not a lot worse that can happen to your network than to have the Bad Guys take it over. That's what's happened to gobs of iOS boxes:
The main bug being used in the exploit chain exists in the Web UI of IOS XE (CVE-2023-20198). It ranks 10 out of 10 on the CVSS vulnerability-severity scale, and gives unauthenticated, remote attackers a way to gain initial access to affected devices and create persistent local user accounts on them.
The exploit method also involves a second zero-day (CVE-2023-20273), which Cisco only discovered while investigating the first one, which allows the attacker to elevate privileges to root and write an implant on the file system. Cisco released updated versions of IOS XE addressing the flaws on Oct. 22, days after disclosure, giving cyberattackers ample opportunity to go after legions of unpatched systems.
So first of all, patch your damn routers. Second, replace any network admin who can't grok iOS command line and disable the stupid web GUI. I mean, this isn't rocket surgery - anyone who can figure out subnet masking can configure things via CLI.
> replace any network admin who can't grok iOS command line and disable the stupid web GUI. I mean, this isn't rocket surgery - anyone who can figure out subnet masking can configure things via CLI.
ReplyDeleteThis goes for *any* operating system.
If your network team doesn't understand Linux or BSD and how to completely avoid Windows on critical infrastructure, get rid of them too.
WHUT?!?
ReplyDeleteI grok Linux and FreeBSD - and Windows.
ReplyDeleteJust as easy to secure all of them, if you know what you're doing - and PowerShell is pretty much the answer for Windows.
Kur
Pity we cannot figure out how to stop Sarah Elizabeth from SPAMING all out sites.
ReplyDeleteNow I just have to figure out how to mention to our IT Prima Donnas about your warning.
@kurt: Just as easy to secure all of them,
ReplyDeleteFor Windows you hire a team of dedicated security engineers, staff a SOC 24/7/365, build custom Windows images to reduce your exposure, install expensive AntiVirus, AntiMalware, and Endpoint management software, firewall every port off, figure out what's broken in AD, slowly unfirewall specific ports, go through Microsoft's "hardening guides" because it's insecure by default, and then cross your fingers...oh...and install security/application updates multiple times per week complete with reboots.
For Linux and BSD you pretty must just install them, firewall off everything except SSH and whatever port the box needs to do it's job (i.e. SSH and Postgres or SSH and HTTP/HTTPS or SSH and DNS, etc...), set SSH to only allow authentication via security keys, and the box is nearly impossible to compromise unless you forget to update every year or two.
For fun, try spinning up a Linux box, a FreeBSD box, and a Windows box in the cloud. In Linux and FreeBSD tell SSH to only allow SSH Key authentication. For Windows pick any one of the standard remote management tools (i.e. RDP, WSMAN, etc...) and leave the firewalls open on every box.
Let me know which box gets compromised first.
MSPs all around me have been compromised and gone out of business over the years...usually taking client data with them. I'm still here. Why? We don't use Windows internally anywhere. We don't trust Windows on client systems and do everything we can do avoid using it.
Put your Windows-based Active Directory domain controller up against my AppArmor-wrapped docker container that runs Samba and see which one is easier to compromise. Then see which one is easier to automate and/or monitor. Then see which one can be restored remotely and brought back in service faster. Then see which one costs you more over a 10-year period.
I'll take Linux and BSD over Windows any day.