Flash Alert – Critical Vulnerability in Cisco IOS XE Software

On 16 October 2023, Cisco reported on a vulnerability affecting Cisco IOS XE. CVE-2023-20198 is a critical vulnerability apparent in the Web UI of Cisco IOS XE software. It applies when the IOS is exposed to the internet or other untrusted networks, and impacts both physical and virtual devices with HTTP or HTTPS Server features enabled.

A threat actor can leverage this vulnerability to create an account on an affected device. This account would benefit from privilege level 15 access, which would grant the malicious user full control of the compromised device. From here they could freely engage in further unauthorised activity, such as data theft or malware deployment. They would also be able to monitor network traffic, pivot into protected networks, and perform man-in-the-middle attacks

Research conducted by VulnCheck has identified thousands of hosts already impacted by this vulnerability. They recommend disabling the web interface and removing all management interfaces from the internet.

At the time of posting, a patch for this vulnerability has yet to be released. Cisco has recommended disabling the HTTP Server feature. A compromise of the system can be detected by:

Monitoring access logs for any new or unknown users
Monitoring system logs for the following message (where filename is an unknown filename that does not correlate with an expected file installation action)
- %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename
Running the following on a suspect device, where systemip is the IP address of the system to check. An impacted system will return a hexadecimal string:
- curl -k -X POST “https://systemip/webui/logoutconfirm.html?logon_hash=1″

Further details on their recommendations and IoCs can be found here.

GitHub user ZephrFish https://twitter.com/ZephrFish has produced and shared a simple tool to scan if a host has been impacted by a threat actor using the vulnerability. This can be found here.

The following Snort rule IDs are also available to detect exploitation:

3:50118:2 – can alert for initial implant injection
3:62527:1 – can alert for implant interaction
3:62528:1 – can alert for implant interaction
3:62529:1 – can alert for implant interaction

Additional ongoing discussions on this vulnerability can be followed on this twitter thread by Daniel Card https://twitter.com/UK_Daniel_Card/thread/1714536315834798314

cisco vulnerability Flash Alert - Critical Vulnerability in Cisco IOS XE Software SOS Intelligence sosintelligence flash alert

Flash Alert – Further exploitation of Citrix NetScaler

The SOS Intelligence CVE Chatter Weekly Top Ten – 16 October 2023

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.