October 22nd, 2023 Update: Cisco has released fixes for CVE-2023-20198. Customers are advised to upgrade to an appropriate fixed software release.
Cisco is warning of a critical severity zero-day vulnerability affecting Cisco IOS XE that allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. Tracked as CVE-2023-20198 (CVSSv3 score: 10.0 – Critical), the actively exploited flaw impacts the software’s Web UI feature and affects both physical and virtual devices running IOS XE when they are exposed to the internet and have the HTTP or HTTPS Server feature enabled. At the time of writing, there is no patch available, however Cisco will provide updates on the status and when a software patch is available. Customers are strongly recommended to disable the HTTP Server feature on all internet-facing systems and check for malicious activity in the form of newly created users on its devices.
The issue was discovered after Cisco detected malicious activity on a customer’s device in September 2023, where an authorized user created a local user account under the username “cisco_tac_admin” from a suspicious IP address. This activity ended on October 1, 2023. Another set of related activities occurred on October 12, 2023, where an unauthorized user created a local user account under the name “cisco_support” from a different IP address. This is claimed to have been followed by a series of actions that ended in the deployment of a Lua-based implant that allows the actor to execute arbitrary commands at the system level or IOS level. These clusters of activity were assessed to likely be carried out by the same threat actor.
The installation of the implant is carried out by exploiting an older vulnerability, CVE-2021-1435, which is a patched command injection flaw that impacted the web UI of Cisco IOS XE Software. The vulnerability would allow an authenticated attacker to inject arbitrary code that would be executed as the root user. It was observed that even on devices that were fully patched against CVE-2021-1435, threat actors were still able to deploy their implant. At the time of writing, it is not known how they were able to do so.
No proof-of-concept code was found to be publicly available for CVE-2023-20198. Based on research using the Shodan search engine, there are nearly 40,000 Cisco devices that have web UI exposed to the internet.
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:
MDR Services
- We utilize several threat feeds that are updated frequently on a daily basis.
- In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.
EDR Services
- In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.
Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.
Indicators are provided in the Indicators of Compromise section below for your reference.
As always, if we detect activity related to these exploits, we will alert you when applicable.
Affected Products
This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.
Recommendations
According to Cisco, customers are strongly recommended to disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
The following decision tree can be used to help determine how to triage an environment and deploy protections:
- Are you running IOS XE?
- No. The system is not vulnerable. No further action is necessary.
- Yes. Is ip http server or ip http secure-server configured?
- No. The vulnerability is not exploitable. No further action is necessary.
- Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
- No. Disable the HTTP Server feature.
- Yes. If possible, restrict access to those services to trusted networks.
Cisco Advisory
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
Cisco IOS XE Implant Scanner
VulnCheck has released a scanner to detect the implant on affected devices. See: cisco-ios-xe-implant-scanner
Indicators of Compromise
5.149.249[.]74
154.53.56[.]231
Resources & Related Articles
- Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability
- Warning: Unpatched Cisco Zero-Day Vulnerability Actively Targeted in the Wild
- Thousands of Cisco IOS XE devices hacked in widespread attacks
- 0-day in Cisco IOS XE software is under attack
- CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild