Just in Time Bulletin: CVE-2023-20198 Cisco IOS XE Web UI Authentication Bypass and Privilege Escalation
What is CVE-2023-20198?
Recently, a flood of exploit reports have been making waves across the internet all thanks to a critical vulnerability in the Cisco IOS XE firmware. The reports this time were straight from the horse’s mouth, as Cisco informed users that the zero-day was being actively exploited in mass by an unknown threat actor. The entry vector for exploitation begins in the Cisco IOS XE web interface, which is enabled by default on most products. Successful exploitation results in authentication bypass and privilege escalation, granting threat actors full control over vulnerable devices.
The additional unknown element associated with this attack chain is the presence of an implant on vulnerable devices, installed after successful exploitation of CVE-2023-20198. The implant enables the execution of either IOS or system level commands, facilitating a complete compromise of the network device and establishing a platform for continued attacks against private network assets.
Indicators of compromise suggest that threat actors are leveraging a previously patched remote command execution vulnerability (CVE-202-1435) to deploy the implant, however the implant was also observed on fully patched devices. At the time of publishing, researchers have yet to confirm what additional vulnerabilities were exploited to escalate the methods of attack.
At present, Cisco has not released a formal patch, but recommends that all customers disable the HTTP UI on all devices to minimize the risk of exploitation. This is extremely serious. Disable the HTTP interface ASAP.
How bad is this?
Active exploitation today. Disable the HTTP UI yesterday!
- Credentials are NOT required
- Mass exploitation in the wild
- Unknown level of complexity
How is it exploited?
Exploitation is carried out via authentication bypass and privilege escalation, however the specific entry points are not yet documented. We will continue to provide updates as more information becomes available from Cisco.
How do I protect myself?
If your organization has a Cisco IOS device exposed to the internet with the HTTP interface enabled, there is a strong possibility that the device has already been compromised. The malicious campaign was underway prior to the release of a patch from Cisco, providing an ample window of opportunity for the mass infection of devices.
Use the following cURL command to verify if an implant has been deployed on your device:
curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"
If the above command returns a hexademecial string (SHA1 hash), then the device has been compromised. It should be noted that this will only serve as an indicator of compromise (IOC) if the vulnerabile device was restarted.
It is strongly recommended that all Cisco customers operating potentially vulnerable devices analyze log files for indicators of compromise. Cisco has reported that the users most commonly associated with the implant are cisco_tac_admin, cisco_support, and cisco_sys_manager.
For detailed information on incident response recommendations, please refer to the Cisco Talos blog and advisory linked in the additional resources section below.
Who is affected by this?
Current estimates based on Shodan and Censys queries indicate that roughly 34,000 devices across the internet are already infected. Cisco has not yet released a complete list of affected products, but any network device with a web UI operating IOS XE is likely vulnerable, which includes routers, switches, and other network devices. The impact is vast.
Any Cisco device with HTTP interface disabled is not affected. Further, reports indicate that the implant cannot survive a reboot, however accounts created by the attacker remain.