Warning Against Cisco IOS XE Software Web UI Vulnerabilities (CVE-2023-20198, CVE-2023-20273)

by Prapattimynk, Monday, 30 October 2023 (4 months ago)
Warning Against Cisco IOS XE Software Web UI Vulnerabilities (CVE-2023-20198, CVE-2023-20273)


Overview

This month, Cisco released a security advisory regarding two vulnerabilities currently being actively exploited in actual attacks: CVE-2023-20198 and CVE-2023-20273.

These vulnerabilities are present in the web UI feature of Cisco IOS XE Software.

The CVE-2023-20198 vulnerability allows an unauthorized threat actor to create an arbitrary account with level 15 privileges, which is the highest level of access permission possible, and take control over the system. The CVE-2023-20273 vulnerability allows command injection which enables malicious content to be written in the file system. These were given CVSS scores of 10.0 and 7.2 respectively.

 

Affected Products

The vulnerability can be exploited if the web UI feature of the Cisco IOS XE software is enabled. The web UI is activated through the following commands:

ip http server

ip http secure-server

The following command can be used to check whether the web UI feature is enabled in the product.

show running-config | include ip http server|secure|active

Example:

Router# show running-config | include ip http server|secure|active
ip http server
ip http secure-server

If there are one or more results for the command above, the web UI feature can be considered as enabled.

※ If the ip http server command exists and ip http active-session-modules none is also included, the CVE-2023-20198 vulnerability cannot be exploited through HTTP.
※ If the ip http secure-server command exists and ip http secure-active-session-modules none is also included, the CVE-2023-20198 vulnerability cannot be exploited through HTTPS.

 

Mitigation Measures

1. Disable the HTTP server feature in all systems with Internet access

– When using an HTTP server: Apply the no ip http server command
– When using an HTTPS server: Apply the no ip http secure-server command

2. Limit access to the service to trusted networks only

Example of access list that only allows access from a trusted network (192.168.0.0/24):

!
ip http access-class 75
ip http secure-server
!
access-list 75 permit 192.168.0.0 0.0.0.255
access-list 75 deny any
!

※ To apply the access list in the latest version of Cisco IOS XE, use the command ip http access-class ipv4 75
※ Refer to Filter Traffic Destined to Cisco IOS XE Devices WebUI Using an Access List

 

Indicators of Compromise

  1. Check the system log for cisco_tac_admin, cisco_support, or a local user that the network administrator is not aware of.
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as {user} on line
%SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: {user}] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023

 

  1. Check the system log for file names that do not match the expected file installation tasks.
%WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD {filename}

 

  1. Run the following command to check for the existence of an endpoint definition file (implant) within the system for interacting with the threat actor.

curl -k -H “Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb” -X POST “https://{your_systemip}/webui/logoutconfirm.html?logon_hash=1″

If a hexadecimal string is returned as a response after running the command, it means that an implant exists.

※ The command above must be executed in a workstation with access to the system in question.

 

Security Patch 

On October 22, Cisco provided a security patch (Bug ID: CSCwh87343) for some of its products and will provide patches for other affected products in the future.

Base ReleaseReleased Version
[Base release + CSCwh87343 modification]
Routing/SDWANSwitchingWirelessIOTSP Access and Pre -Aggregation Router
17.9.417.9.4aUploadedUploadedUploadedUploadedUploaded
17.6.617.6.6aPlannedPlannedPlannedPlannedPlanned
17.3.817.3.8aPlannedPlannedPlannedPlannedPlanned
16.12.1016.12.10aN/APlanned (Cat3850/3650 only)N/AN/AN/A

 

Elements Confirmed by AhnLab & Recommendations

AhnLab’s investigation on IPs in Korea on October 20 revealed that out of a total of 794 servers, 496 contained implant files. Also, an additional check on October 24 after the vulnerability patch showed that 411 servers out of 794 had implant files, signifying that there are still vulnerable servers.

  • Confirmed details as of October 20 (before the release of the vulnerability patch): Estimated 496 vulnerable targets with implant files (794 servers checked in total)
  • Vulnerability patch released on October 22
  • Confirmed details as of October 24 (after the release of the vulnerability patch): Estimated 411 vulnerable targets with implant files (794 servers checked in total)

If you are using an affected product, it is strongly recommended to apply the patch. If it is not possible to apply the patch immediately, or if a patch has not been released yet for your product, it is advised to apply the mitigation measures. Also, even if the vulnerability patch has been applied, there is a possibility that the system has already been corrupted, so it is advised to check the system according to the indicators of compromise and perform meticulous maintenance.

 

Reference Sites
[1] Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
[2] Software Fix Availability for Cisco IOS XE Software Web UI Privilege Escalation Vulnerability – CVE-2023-20198

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.