Cisco IOS XE Zero Day: CVE-2023-20198
A few days ago, it was announced that Cisco devices running IOS XE with HTTP or HTTPS server features enabled were affected by a new exploit that had a 10/10 CVSS score. This vulnerability is a remote code exploit (RCE) that allows an unauthenticated attacker to gain privileged access to the device. The vulnerability is known as CVE-2023-20198 and was reported as early as September 18th.
It is still being reviewed on what exactly how the exploit works but Cisco’s Talos blog has some initial information. What is known is that the exploit uses the vulnerability and issues a “privilege level 15” command to create a local user; then using that user, another exploit (CVE-2023-20273) is ran to elevate the attacker’s privileges to root. Fixes for CVE-2023-20198 and CVE-2023-20273 started to roll out on October 22. Cisco’s advisory asks all customers using IOS XE to disable the HTTP and HTTPS server features from the public internet as they work on a patch. To determine if you have been affected, Cisco has detailed configurations and indicators of compromise (IOCs) to look for:
Check if the HTTP(S) server is running (a response of either command in the system configuration indicates that the web UI feature is enabled):
device# show running-config | include ip http server|secure|activeip http serverip http secure-serverNote: If the ip http server command is present and the configuration also contains ip http active-session-modules none, these vulnerabilities are not exploitable over HTTP. If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, these vulnerabilities are not exploitable over HTTPS.
Determine if a new user has been added, especially cisco_tac_admin or cisco_support. The logs will be similar to:
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Tue Oct 24 2023Check the system logs for the following message where “filename” is an unknown filename that does not correlate with an expected file installation action:
%WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filenameCisco Talos has a command to check for the presence of the implant where systemip is the IP address of the system to check. If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present. This command should be issued from a workstation with access to the system in question:
curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST "https://systemip/webu/logoutconfirm.html?logon_hash=1"Note: If the system is configured for HTTP access only, use the HTTP scheme in the command example.
Fixes for CVE-2023-20198 started to roll out for this vulnerability; in addition, configuration changes can mitigate it:
Administrators can disable the HTTP Server feature by using the no ip http server or no ip http secure-server command in global configuration mode.
Limiting access to the HTTP Server to trusted networks will limit exposure to these vulnerabilities. The following example shows how to allow remote access to the HTTP Server from the trusted 192.168.0.0/24 network:
!
ip http access-class 75
ip http secure-server
!
access-list 75 permit 192.168.0.0 0.0.0.255
access-list 75 deny any
!Note: To apply the access list in newer versions of Cisco IOS XE Software, use the ip http access-class ipv4 75 command for the previous example
Contact us to see how Glassportal can pro-actively determine the impact of a zero-day before it happens using our context-driven vulnerability and risk management platform: demo@glassportal.io
Update: Cisco Talos released a list of IOCs to detect compromise in your environment:
IP Addresses:
5.149.249[.]74
154.53.56[.]231
154.53.63[.]93
Usernames:
cisco_tac_admin
cisco_support
cisco_sys_manager
Files:
/usr/binos/conf/nginx-conf/cisco_service.conf
