CVE-2023-20198 - Cisco IOS XE Software Web Management User Interface Vulnerability

This advisory is for organizations that use the Cisco IOS XE software to manage Cisco devices.  If your organization does not use this platform, this notification may be discarded. 

Summary

Cisco has announced the discovery of a Zero-Day privilege escalation vulnerability within the Web User Interface of the Cisco IOS XE software when exposed to the internet.  This will affect any of these platforms that has the HTTP or HTTPS Server feature enabled and exposed to the internet.  The vulnerability is considered critical and has been assigned the highest Common Vulnerability Scoring System (CVSS) of 10.0.

NOTE: The only current mitigation is to disable HTTPS/HTTP Server functionality on all internet facing IOS XE devices.

The vulnerability will allow an unauthenticated, remote attacker to create a user account on the affected systems with a privilege access level of 15, which would allow the attacker to gain control of that system.

Talos Intelligence has noted attackers using this access to install an implant on the affected device.

CVE-2023-20198 –  Cisco IOS XE Software Web Management User Interface Vulnerability

                CVSSv3: 10.0 

Affected Products/Versions

• This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled.
• Users may verify whether the Web UI is enabled by logging into the system and using the commands:

• show running-config | include ip http server|secure|active
• check for the presence of the ip http server command or the ip http security-server command in the global configuration.
  If either or both commands are present, the HTTP Server feature is enabled for this system.

(this only indicates that HTTP Server is enabled, not that you have been attacked)

Mitigations

There is no patch YET for this vulnerability.  Cisco urges users to disable the HTTP Server feature on all internet-facing systems.

To disable, enter global configuration mode and use the command(s):

               no ip http server

               no ip http secure-server

Cisco has stated that based on their understanding of how the exploit works, “that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation.”
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z#:~:text=address%20this%20vulnerability.-,Recommendations,-Cisco%20strongly%20recommends

Indicators of Compromise

• Review systems logs for indicators of users (these have been noted to be attacker created)

               cisco_tac_admin

               cisco_support

               any user that is unknown to the network administrator

There will be a new line with %SYS-5-CONFIG_P present for each instance that a user has accessed the web UI.  Look for unknown usernames.

• Check system logs for the below message where “filename” is an unknown filename:

               %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename

• Cisco Talos has provided the following command to check for the presence of the implant where systemip is the IP address of the system to check. This command should be issued from a workstation with access to the system in question:

curl -k -X POST https://systemip/webui/logoutconfirm.html?logon_hash=1
(Note: if the system is configured for HTTP access only, use HTTP in the command example)

If the request returns a hexadecimal string, the implant is present.

Additional Resources

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/

https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/