WARNING: CRITICAL VULNERABILITY IN CISCO IOS XE, RISK OF REMOTE UNAUTHENTICATED PRIVILEGE ESCALATION AND SYSTEM TAKEOVER ON SYSTEMS RUNNING WEB UI AND HTTP/HTTPS SERVICES
CVE-2023-20198: 10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X)
CVE-2023-20273: 7.2 HIGH (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Internet-facing systems running IOS XE with the HTTP Server feature enabled are vulnerable to an attack chain consisting of two 0day vulnerabilities CVE-2023-20198 and CVE-2023-20273. Successful exploitation of this attack chain allows a remote and unauthenticated attacker to gain full control over the affected system. A possible compromise could thus have a high impact on confidentiality, integrity and availability.
Cisco IOS XE runs on a wide range of Cisco switches, wireless controllers, access points and routers. This OS contains a web UI feature that can be used to access/modify configurations as well as to monitor and troubleshoot the system.
Cisco has identified active exploitation of a previously unknown vulnerability CVE-2023-20198 in the Web User Interface (WebUI) feature of Cisco IOS XE software when exposed to the internet or untrusted networks. This affects both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled. Successful exploitation of CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which the attacker can then use to create a local user and login with normal user access.
Next, the attacker can use the new unauthorized local user account to exploit a second previously unknown vulnerability (CVE-2023-20273) in another component of the WebUI feature. This allows the adversary to inject commands with elevated (root) privileges, giving them the ability to run arbitrary commands on the device.
Since mass exploitation of this attack chain was reported, assume compromise of IOS XE devices with an internet-facing WebUI interface.
The Centre for Cybersecurity Belgium strongly recommends administrators of affected systems to take following actions.
Reduce your attack surface
Disable unused services, especially if these services are exposed to the Internet.
Implement access and authorization management policies to restrict access to network device management services (web UI, ssh, …) to authorized persons only from authorized networks only.
The Cisco advisory contains guidance on how to verify if the web UI feature is enabled and how to restrict access to this interface.
Fixes for CVE-2023-20198 and CVE-2023-20273 started to roll out on October 22. Patch after thorough testing and keep an eye out for future security bulletins.
Since these vulnerabilities are actively exploited the CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion. Should the involved device be connected to a management network, please ensure upscaled monitoring and detection capabilities are also present on this network.
In order to avoid detection the threat actor removes newly added user accounts. It is thus advised to check device logs for activity of any configured, local user that is unknown to the network administrator. Unexpected clearing of device logs might also be an indicator of suspicious activity.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise. When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred prior to patching. Cisco Talos indicates first known exploitation attempts started around September 18, 2023.
Observed user accounts