Right this moment, CISA up to date its guidance addressing two vulnerabilities, CVE-2023-20198 and CVE-2023-20273, affecting Cisco’s Internetworking Working System (IOS) XE Software program Internet Consumer Interface (UI).
The steering now notes that Cisco has fastened these vulnerabilities for the 17.9 Cisco IOS XE software program launch practice with the 17.9.4a replace. Based on Cisco’s Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature, fixes are nonetheless to be decided for the next Cisco IOS XE software program launch trains: 17.6, 17.3, 16.12 (Catalyst 3650 and 3850 solely). CISA urges organizations with the 17.9 Cisco IOS XE software program launch practice to right away replace to the 17.9.4a launch.
CISA urges organizations to assessment:
CISA has added CVE-2023-20198 and CVE-2023-20273 to its Known Exploited Vulnerabilities Catalog, which, per Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, requires Federal Civilian Govt Department (FCEB) businesses to remediate recognized vulnerabilities by the desired due date to guard FCEB networks towards energetic threats.
Word: The Cisco Security Advisory initially pointed to a different vulnerability as a part of this exercise. Nevertheless, as said within the Cisco Talos blog, Cisco has since decided that the vulnerability “CVE-2021-1435 that had beforehand been talked about is now not assessed to be related to this exercise.”