THE THREAT
On October 16th, 2023, Cisco issued an advisory about an actively exploited vulnerability in the web UI feature of Cisco IOS XE Software when exposed to untrusted networks or the internet.
Designated as CVE-2023-20198, with a maximum severity CVSS score of 10.0, this vulnerability permits remote attackers, without authentication, to establish an account on a compromised system with privilege level 15 access. The attacker can leverage this unauthorized account to seize control of the affected device. Additionally, it is probable that internet-exposed devices are compromised. Based on open-source analysis conducted by eSentire Threat Intelligence, implant strings were detected on just under 50% of exposed systems based on a review of 1000 exposed systems.
Cisco has clarified that there's no available workaround or patch for this flaw, as of October 17th, 2023, making the mitigation suggestion paramount to apply as soon as possible. Cisco strongly recommends that "customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the ‘no ip http server’ or ‘no ip http secure-server' command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature."
They've also noted indications of the system potentially being compromised, highlighting the seriousness of active exploitation in the wild. Additionally, eSentire TRU has identified exploitation in the wild dating back to at least October 12. Given the gravity of this exploit and the absence of any immediate patches, organizations must assess their exposure and take protective measures.
What we’re doing about it
- Our Managed Vulnerability Service (MVS) will integrate plugins to detect CVE-2023-20198 as they become available.
- Our Threat Intelligence team is actively monitoring this vulnerability for further developments and detection methods.
- The eSentire Tactical Threat Response Unit has performed network sweeps and notified any impacted customers.
- A known command and control infrastructure has been added to the global deny list.
What you should do about it
- After performing a business impact review, apply the relevant security mitigations provided by Cisco
- Determine if your devices use Cisco IOS XE Software, with enabled web UI feature.
- This feature can be checked using the `show running-config | include ip http server|secure|active` command.
- If your devices are vulnerable, Cisco recommends disabling the HTTP Server feature on any systems that face the internet. This can be achieved using the `no ip http server` or `no ip http secure-server` commands in the global configuration mode.
- Cisco suggests implementing access lists to restrict HTTP Server access from untrusted networks and hosts.
- Review instances for signs of exploitation, such as unexpected logins, known C2 connections, and verify exploited devices with the provided curl command provided in the Product Security Incident Response Team (PSIRT) advisory.
Additional information
Cisco has identified an ongoing active exploitation of a previously undisclosed vulnerability in Cisco IOS XE software's Web User Interface (Web UI) feature (CVE-2023-20198). The vulnerability impacts physical and virtual devices running the Web UI software with the HTTP or HTTPS Server feature activated. The Web UI is bundled with the default image, implying that no extra licenses or setups are required for its activation. Upon successful exploitation, the intruder can fabricate an account with privilege level 15 on the compromised device, thus acquiring absolute control of the device and providing a foothold for further unauthorized activities.
Cisco's advisory to deactivate the HTTP server feature on systems, accessible via the Internet, is not just a best practice but also echoes the advisory guidelines previously provided by the U.S. government, emphasizing the risks associated with publicly accessible management interfaces.
The discovery of this vulnerability emerged from a collaborative effort between Cisco support centers and their security team. This collaboration identified unique indicators from a minuscule fraction of cases among the typically high daily case influx.
When this was published on October 17th, no proof-of-concept code was found to be publicly available for CVE-2023-20198. Given the severity of this vulnerability, adherence to the guidelines in Cisco's PSIRT advisory should be prioritized. Organizations, potentially impacted by this vulnerability, must promptly integrate the mitigation steps and perform retroactive sweeps to verify exploitation was not achieved.
Indicators of Compromise:
205.185.123[.]17 | IP Address |
162.33.177[.]204
| IP Address |
5.149.249[.]74
| IP Address |
154.53.56[.]231
| IP Address |
cisco_tac_admin | Username |
cisco_support | Username |
References:
[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
[2] Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability
[3] CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild
[4] Shodan Search
[5] https://www.cisa.gov/news-events/news/website-security
[6] https://vulncheck.com/blog/cisco-implants
