On 16 October 2023, Cisco reported on a vulnerability affecting Cisco IOS XE. CVE-2023-20198 is a critical vulnerability apparent in the Web UI of Cisco IOS XE software. It applies when the IOS is exposed to the internet or other untrusted networks, and impacts both physical and virtual devices with HTTP or HTTPS Server features enabled.
A threat actor can leverage this vulnerability to create an account on an affected device. This account would benefit from privilege level 15 access, which would grant the malicious user full control of the compromised device. From here they could freely engage in further unauthorised activity, such as data theft or malware deployment. They would also be able to monitor network traffic, pivot into protected networks, and perform man-in-the-middle attacks
Research conducted by VulnCheck has identified thousands of hosts already impacted by this vulnerability. They recommend disabling the web interface and removing all management interfaces from the internet.
At the time of posting, a patch for this vulnerability has yet to be released. Cisco has recommended disabling the HTTP Server feature. A compromise of the system can be detected by:
- Monitoring access logs for any new or unknown users
- Monitoring system logs for the following message (where filename is an unknown filename that does not correlate with an expected file installation action)
- %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename
- Running the following on a suspect device, where systemip is the IP address of the system to check. An impacted system will return a hexadecimal string:
- curl -k -X POST “https://systemip/webui/logoutconfirm.html?logon_hash=1″
Further details on their recommendations and IoCs can be found here.
GitHub user ZephrFish https://twitter.com/ZephrFish has produced and shared a simple tool to scan if a host has been impacted by a threat actor using the vulnerability. This can be found here.
The following Snort rule IDs are also available to detect exploitation:
- 3:50118:2 – can alert for initial implant injection
- 3:62527:1 – can alert for implant interaction
- 3:62528:1 – can alert for implant interaction
- 3:62529:1 – can alert for implant interaction
Additional ongoing discussions on this vulnerability can be followed on this twitter thread by Daniel Card https://twitter.com/UK_Daniel_Card/thread/1714536315834798314