Cisco has released an advisory, acknowledging active exploitation of a previously undisclosed critical vulnerability. This zero-day, identified as CVE-2023-20198, holds a maximum CVSS score of 10.0 and is located within the web UI feature of Cisco IOS XE Software, which serves as the operating system for Cisco’s next-generation enterprise networking equipment.
What is the vulnerability in Cisco IOS XE about? (CVE-2023-20198)
Cisco has disclosed that the zero-day vulnerability represents a privilege escalation problem, allowing a remote and unauthenticated attacker to create an account on a compromised system with privilege level 15 access. This high privilege level provides unrestricted command access, which includes the ability to reload the system and modify configurations. As a result, the attacker can exploit this account to gain control of the affected system.
CVE-2023-20198 affects all Cisco IOS XE devices with the Web UI feature enabled, and the vulnerability can be exploited when the system is accessible via the internet or untrusted networks.
How do attackers exploit CVE-2023-20198 to target Cisco IOS XE?
On September 28, 2023, Cisco discovered early indications of potentially malicious activity, with related activity dating back to September 18. The suspicious activity involved an authorized user creating a local account named “cisco_tac_admin” from the IP address 5.149.249[.]74. This activity ceased on October 1, with no other associated behavior.
On October 12, Cisco identified another cluster of related activity that began on the same day. Here, an unauthorized user created a local account called “cisco_support” from the IP address 154.53.56[.]231. Unlike the September incident, the October activity involved further actions, including deploying an implant written in Lua and consisting of a configuration file, “cisco_service.conf,” which defined a new web server endpoint for interacting with the implant and allowed the attacker to execute arbitrary commands.
The attacker used CVE-2021-1435, a command injection vulnerability in the Web UI component of IOS XE, to install the implant after gaining access to the device, through an ‘undetermined’ mechanism.
According to Cisco, it is likely that these clusters of activity originated from the same threat actor, with the October activity appearing to build upon the September activity.
Cisco Talos details the exploitation activity in a separate advisory, which you can find here.
Further notes by Cisco regarding the malicious implant, and how to detect it
To activate the implant, the web server requires a restart. Notably, in at least one observed instance, the server was not restarted, preventing the implant from becoming active, as highlighted by Cisco. The implant itself lacks persistence, allowing organizations to eliminate it by simply rebooting the device.
Conversely, the local user accounts that attackers can create through CVE-2023-20198 exhibit persistence, granting the attackers continuous administrator-level access to affected systems, even following a device restart.
Cisco Talos researchers advised organizations to remain vigilant for any suspicious users appearing on Cisco IOS XE devices, as potential indications of an exploited vulnerability. They also provided a command for organizations to verify the presence of the implant on any affected device:
curl -k -X POST “https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1”
If the request yields a hexadecimal string, it indicates the presence of the implant.
Is there a patch available? How to mitigate the Cisco IOS XE vulnerability?
Currently, there is neither a patch nor an alternative solution available to fix this vulnerability. Cisco strongly recommends customers to promptly disable the HTTPS Server feature on all their Internet-facing Cisco IOS XE devices to shield against potential exploitation.
Cisco also recommends using the “show running-config | include ip http server|secure|active” command in the Command-line Interface (CLI) to determine if the HTTP Server feature is enabled on a system. This command checks for the presence of either the “ip http server” or “ip http secure-server” command in the global configuration. If either command is detected, it indicates that the HTTP Server feature is active on the system.
How to find Indicators of Compromise (IoCs) on Cisco IOS XE instances?
Cisco has outlined methods for detecting system compromise, which encompass the following recommendations:
- Check system logs for messages like “%SYS-5-CONFIG_P” or “%SEC_LOGIN-5-WEBLOGIN_SUCCESS,” specifically looking for new or unknown usernames.
- Examine logs for the message “%WEBUI-6-INSTALL_OPERATION_INFO” with an unfamiliar filename.
Cisco has also released some Snort rule IDs to detect exploitation activity:
- 3:50118:2 – can alert for initial implant injection
- 3:62527:1 – can alert for implant interaction
- 3:62528:1 – can alert for implant interaction
- 3:62529:1 – can alert for implant interaction
For more details and the full IoCs, refer to Cisco’s official advisory.
Enhanced Vulnerability Monitoring with SOCRadar
SOCRadar consistently monitors security vulnerabilities, delivering timely intelligence crucial for safeguarding organizational assets.
With the Vulnerability Intelligence module, you can search for vulnerabilities, access comprehensive information about them, and track associated activities.
SOCRadar Vulnerability Intelligence
Furthermore, the Attack Surface Management module enables you to retrieve vital data about vulnerabilities affecting your assets.
SOCRadar Attack Surface Management
The post Cisco Warns of Exploitation of a Maximum Severity Zero-Day Vulnerability in IOS XE: CVE-2023-20198 appeared first on SOCRadar® Cyber Intelligence Inc..
Article Link: Cisco Warns of Exploitation of a Maximum Severity Zero-Day Vulnerability in IOS XE: CVE-2023-20198