Warning of Actively Exploited Zero-Day Vulnerability in Cisco IOS XE
UPDATE on 24 October 2023 at 1.00 p.m.: Identification of additional vulnerability CVE-2023-2073, update of procedure for identifying compromised devices, addition of reference to firmware updates.
The National Cyber Security Centre SK-CERT (hereinafter referred to as “SK-CERT”) warns of an actively exploited vulnerability in the Cisco IOS XE software interface.
Cisco has identified the active exploitation of unknown (zero-day) vulnerability in the web user interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). It affects both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled.
A threat actor exploits the CVE-2023-20198 vulnerability to gain access to the device and runs a level 15 command to create a local user. The account created this way allows to log in to the device as a regular user.
Subsequently, the threat actor exploits a newly identified vulnerability (CVE-2023-2073) that allows a regular user to gain root privileges and write malicious code directly to the file system.
In several attacks analysed by Cisco experts, a threat actor exploited this vulnerability to create a local user account and also exploited an old command injection flaw in the web user interface (CVE-2021-1435). However, this older vulnerability is not necessary for successful exploitation of the current vulnerability.
Thus, there are two vulnerabilities in Cisco IOS XE web interface associated with this threat:
- CVE-2023-20189, which achieves the highest possible CVSS score of 10
- CVE-2023-20273, which achieves a CVSS score of 7.2
Exploiting these two vulnerabilities allows the attacker to gain full control over the compromised device.
A new vulnerability is tracked as CVE-2023-20198 and has achieved the highest possible CVSS score of 10 (critical). A successful exploitation will give the attacker full control over the compromised device and allow subsequent unauthorized activity.
This vulnerability affects Cisco IOS XE software, if the Web UI feature is enabled.
SK-CERT has identified a very high percentage of demonstrably compromised devices in the Slovak address space that have an accessible configuration interface.
There is currently no patch (update) for the vulnerability.
Currently, the update for Cisco IOS XE version 17.9.4 (17.9.4a) is available. Updates are planned for previous versions 17.6.6, 17.3.8 and 16.12.10 (for Catalyst 3650 and 3850 devices only) with an unspecified release date so far. More detailed information can be found here:
How to detect that a device has been compromised
Although there is a number of guides on the Internet for detection of compromised devices, SK-CERT warns that these only refer to compromise by specific attackers being identified up to now. However, confirmation that the device has been compromised in a particular known way is also valuable, and thus we publish this method of detection:
- on a computer with access to the device’s management interface, replace the string X.X.X.X with the correct IP address and run the command
curl -k -H “Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb“-X POST “https://X.X.X.X/webui/logoutconfirm.html?logon_hash=1″
If an arbitrary hexadecimal number appears in the output, for example 8c98ee1afcbbfdd5ad, the device is compromised. This method only works if the web server was restarted after exploiting the vulnerability.
- run also the command
curl -k “https[:]//X.X.X.X/%25”
In the case of an HTTP 404 response with HTML code containing the text “404 Not Found”, the device is compromised. Uncompromised devices respond to the request with a standard HTTP 404 response or an HTTP 200 response with JavaScript redirection.
- run also the command
curl -k -X POST “https://X.X.X.X/webui/logoutconfirm.html?menu=1″
If the output is in a format similar to /1010202301/, the device is compromised. The numbers are supposed to represent the date of the compromise.
- check the presence of the configuration file /usr/binos/conf/nginx-conf/cisco_service.conf
- check the device logs (ideally on an external logging server) for entries similar to those, where user is either cisco_tac_admin, cisco_support. or any other unknown user:
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line
%SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023
- similarly look in the logs for traces like
%WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename
We reiterate that if the compromise has not been confirmed by these methods, the device may still be compromised. Reliable detection to confirm that the vulnerability has not been exploited is currently not possible.
As another method of detection, we recommend that users
- compare the current device configuration with a secure backup (especially in the areas of user accounts, firewall rules, and logging settings);
- check on other network elements for any unusual attempts to communicate directly from the checked device.
Recommendations
- Immediately disable the configuration web interface with commands
no ip http server
no ip http secure-server
- Check specific indicators of compromise using the above method and thoroughly check the logs and possible configuration changes.
- If a compromise is confirmed, under no circumstances attempt to update or reinstall the device yourself. Since IOS XE is based on the Linux operating system with containerization technologies, an attacker has many options to ensure persistence even after such an update. We therefore recommend performing a full forensic analysis of the affected device and at least temporarily replacing it with another device in the network.
- Even if you did not detect a compromise using the above methods, and the device had a web configuration interface accessible from the Internet, we recommend that you consider it compromised and deal with it that way.
- After recovery, it is important to change all login credentials, encryption keys, VPN configurations, and other potentially sensitive data, and check the impact on the rest of the network.
This is a critical vulnerability and we strongly recommend that affected entities immediately implement the steps recommended by Cisco and SK-CERT. In the event of a cybersecurity incident, please report it immediately to [email protected].
Sources:
https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
https://nvd.nist.gov/vuln/detail/CVE-2023-20198
https://www.helpnetsecurity.com/2023/10/16/cve-2023-20198/
« Späť na zoznam
