Threat Advisory: Cisco IOS XE privilege escalation and file-write vulnerability (CVE-2023-20198/CVE-2023-20273)
Zero-days affecting networking devices running Cisco IOS XE exploited to take control of device and installing implant
The vulnerabilities: CVE-2023-20198 and CVE-2023-20273
- CVE-2023-20198: A remote privilege escalation vulnerability in the Web UI of Cisco IOS XE (CVSS 10.0)
- CVE-2023-20273: A unauthorised file write vulnerability in the Web UI of Cisco IOS XE (CVSS 7.2)
Cisco addressed both vulnerabilities in release 17.9.4a the 23rd of October. They have yet to release 16.12.10a, 17.3.8a and 17.6.6a for older release trains.
Our assessment is that the two Cisco vulnerabilities have the potential to impact many organisations. This is due to the widespread use of these devices and the role and access into networks these devices usually have. In addition, there is no specialist competency required to exploit the vulnerabilities.
Our scans of the entire IPv4 space have discovered more than 42 000 compromised devices as of October 19th. We continue to scan and track developments.
Exploiting CVE-2023-20198
CVE-2023-20198 can be exploited by sending a unauthenticated POST request to
https://[IP/domain of IOS device]/webui/create_user
Exploiting CVE-2023-20273
CVE-2023-20273 can be exploited by authenticating as the user created by exploiting CVE-2023-20198 followed by a POST request to a URI path not known at the moment.
Affected systems
All Cisco IOS XE devices running any releases prior to 17.9.4a with the HTTP server enabled are affected.
Threat Intelligence assessment
mnemonic have performed several scans of the entire IPv4 space to look for exposed and compromised IOS devices. The results are continuously being analysed by our threat intelligence team. Customers with compromised devices are being notified on a case-by-case basis as soon as any customer devices are found within the results.
On a general basis, we have found over 42 000 exploited devices in the IPv4 space per 19th of October. We are continuously running scans.
Some researchers have reported a sharp reduction in compromised devices, but this seems to be caused by a patch deployed to all implants by the threat actor. The updated implant now requires additional authentication in the header of the request in order to respond.
The threat actor behind the mass exploitation and deployment of the implants is currently unknown.
mnemonic assessment
mnemonic assesses with high confidence that several threat actors will try to compromise publicly exposed and vulnerable Cisco IOS XE devices. The two Cisco vulnerabilities have the potential to impact many organisations. This is due to the widespread use of these devices and the role and access into networks these devices usually have. In addition, there is no specialist competency required to exploit the vulnerabilities.
Moderately capable criminals as well as nation state actors are likely to be interested in exploiting this vulnerability. Either to use as an entry vector for lateral movement or as a potential proxy for C2 traffic. Limited visibility on devices like this makes them an especially popular target for nation state actors that want to avoid detection. Depending on the network topology of affected organisations, the access to management networks and other sensitive networks from vulnerable devices will increase the potential impact of exploitation and potential post-compromise activity.
Recommendations
Check if system is affected
If you have any Cisco appliances running IOS XE and have the HTTP server enabled, you are impacted by this vulnerability. This includes switches, routers, wireless LAN controllers and any other appliances running IOS XE.
To check if HTTP server is enabled on your devices, run the following command on the Cisco IOS appliance in question:
show running-config | include ip http server|secure|active
If the output contains either one, or both, of the following lines you are affected and we recommend that you follow a set of mitigating actions described below:
ip http server
ip http secure-server
Mitigating actions
- Install the security updates provided by Cisco
- Disable HTTP server
- This can be done by issuing the following commands on the Cisco devices:
no ip http server
no ip http secure-server
- Make sure web interface is not externally reachable or reachable from unsecure networks (including guest networks)
- If HTTP server for some reason cannot be disabled, follow Cisco’s recommendations to limit access with ACL
Check if system is exploited
Check system logs for configuration changes through the web interface:
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line
Followed by a successful login by a new, unknown user:
%SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023
To identify exploitation of CVE-2023-20273, look for the following content in the logs:
%WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename
and if “filename” is an unexpected file and “username” is the new user created by the threat actor in the previous steps.
Cisco and Rapid7 mentions a couple users and IP addresses observed in intrusions. However, those could be intrusion-specific and should not be used as the only indicator of compromise.
5.149.249[.].74
154.53.56[.]231
cisco_tac_admin
cisco_support
cisco_sys_manager
Look for post-compromise activity on device
Observed post compromise activity by Rapid7:
show running-config
show voice register global
show dial-peer voice summary
show platform
show flow monitor
show platform
show platform software iox-service
show iox-service
dir bootflash:
dir flash:
clear logging
no username cisco_support
no username cisco_tac_admin
no username cisco_sys_manager
These commands include deletion/clean-up of logs. This means that even though local logs do not contain any indicators of compromise there still is a possibility the device have been compromised. Looking at logs sent to a remote server would in this case be necessary to assess whether the device has been compromised.
There have also been observations where the users created by utilising these vulnerabilities have subsequently been deleted. This means that a lack of unknown users does not mean the devices have not been compromised.
Search for exploited devices in Splunk
Hits on either of these queries does not mean that you are compromised, only the INSTALL_OPERATION... followed by a login with an unknown account means that you should investigate further
index=* sourcetype=cisco:* 5.149.249.74 OR 154.53.56.231 OR cisco_tac_admin OR cisco_support
index=* sourcetype=cisco:* WEBUI-6-INSTALL_OPERATION_INFO OR SEC_LOGIN-5-WEBLOGIN_SUCCESS OR SYS-5-CONFIG_P
Note: Cisco IOS logs needs to be ingested in Splunk.
What to do if a triage of devices shows signs of compromise
Please note that turning off the HTTP server and applying the patch released by Cisco is not sufficient if the device has already been compromised. If the device has been identified as compromised, we advise you to initiate incident response and further investigation into what actions might have been executed on the device. It is essential to look for lateral movement from the compromised device. It is important to note that if the device have been exposed on the internet the device should be assumed breached, even though none of the previously mentioned indicators of compromise have been observed.
mnemonic detection coverage
Detection coverage for Argus MDR customers
mnemonic have implemented several detections for this vulnerability. A set of our detections will look for the log entries described by Cisco in Cisco IOS logs forwarded to us, and another set will look at the request paths used to trigger the exploit in network logs from sensors. Customers forwarding Cisco IOS logs to us for analysis as well as those who have Argus Network Analyser are covered by our detection.
Detection coverage for Argus Continuous Vulnerability Monitoring (ACVM)
Customers with Argus CVM can view any affected assets searching for CVE-2023-20198 in the asset database. Alerts raised for the vulnerability follows the customer's defined policy. For further inquiries regarding detection coverage in ACVM, please create a ticket in the Argus portal.
Actions taken for Argus Security Operations customers
For all of our Argus Security Operations customers we have run a set of sweeps in the available data provided to us either through API integrations or sent to us for analysis. The sweeps we have run look for known indicators. It is important to note that we can only sweep data we have available, meaning that if Cisco IOS logs or netflow data is unavailable, we will not be able to detect any activity related to this vulnerability. Depending on customer environments and products in those environments we are able to detect attempts of lateral movement and further exploitation on hosts and devices with correct coverage.
In addition to these sweeps in available data we have scanned the entire IPv4 space and notified customers with compromised devices exposed on the public internet. Note that if you have removed devices previously exposed on the internet before 2023-10-18, we won’t be able to detect any implants and you should look for indicators mentioned in this advisory to evaluate if the device has been compromised.