(1 votes, average: 5.00 out of 5)
A zero-day vulnerability was discovered by Cisco on 16 October 2023. During vulnerability analysis, it was discovered that the web UI of Cisco IOS XE is getting exploited with it. All the potential public-facing network devices are on the verge of being accessed by attackers.
But, to safeguard the businesses, Cisco released some mitigation mechanisms and patches for some OS versions. Here, you will undergo the vulnerability details and approaches to prevent unauthorized access.
The CVE-2023-20198 vulnerability is associated with the Cisco Internetwork Operating System (IOS), which is used by Cisco-manufactured products, such as switches, routers, wireless controllers, and access points. All these devices use the Cisco IOS, in which this zero-day vulnerability was discovered on 16 October 2023.
The Cisco IOS provides a web-based interface for network administrators and engineers to configure the devices and deploy them in the network. However, due to the CVE-2023-20198 vulnerability, attackers were able to gain unauthorized access, create an account, and escalate all high-level admin controls.
During the investigation, it was concluded that devices facing the public network or devices deployed in a public network are at risk. Until the patch, the organizations need to follow the mitigation mechanisms discussed further in this blog.
In addition, below are the highlights of this privilege escalation vulnerability:
In addition, once the attacker exploits the CVE-2023-20198 vulnerability, they can also exploit the CVE-2021-1435 vulnerability (Arbitrary Code Execution). One exploit leads to another, enabling illegitimate actors to gain access to the complete network or corrupt the entire system.
Furthermore, with the exploitation of CVE-2021-1435, adversaries are also capable of:
Cisco followed the below steps after getting alerted about the CVE-2023-20198.
Step 1: Analyzed the vulnerability and assigned a CVSS score of 10 to it.
Step 2: Issued a public notice regarding the vulnerability and started working to patch it.
Step 3: Releases fixtures for some Cisco IOS XE versions, including 17.9, 17.6, 17.3, and 16.12. The 16.12 version patch is only for Catalyst switch series 3650 and 3850.
Further, Cisco is constantly working on creating a reliable patch for all the affected devices and versions of the Cisco IOS XE. You can check the fix for your device in the list published by Cisco.
Besides the fix released by Cisco, you should also execute the following mitigation mechanisms to lower the impact of CVE-2023-20198.
The primary solution to safeguard the devices from exploiting their web UI is disabling the HTTP and HTTPS server functionality. You only need to disable it until Cisco releases a relevant update.
You can use the following steps to disable HTTP and HTTPS.
Step 1: Check the running configuration to verify whether the HTTP service is running.
show running-config | include ip http server | secure |active
Step 2: Check for the following response
ip http server
ip http secure-server
Step 3: If you find the responses mentioned in step 2, execute the following commands.
no ip http server
no ip http secure-server
copy running-configuration startup-configuration
You need to use this mitigation mechanism if you are unable to disable the HTTP/S on the Cisco devices. Here, you should restrict access to public-facing devices running on Cisco IOS XE. From the network device controller, you can restrict their services and prevent attackers.
As you know, attackers create backdoors after gaining access to the devices. Also, they exploit the CVE-2021-1435 to execute arbitrary code. To prevent all this from happening on your network devices, scan them for detecting implants.
You can use the following command:
curl -k -X POST "https[:]//Cisco_Device_IP/webui/logoutconfirm.html?logon_hash=1"
If you receive a hash in return, then a backdoor/implant is present. You should find and remove it from the startup-config and all other memory units.
Once an attacker accesses the Cisco IOS XE device, they first create an account with admin-level controls. You should check the total accounts on the device and cross-verify them with documentation. If you find any unknown account, validate it and delete it instantly.
Some of the usernames used by attackers are discovered, which include “cisco_tac_admin” and “cisco_support.”
In addition, you can also check the logs starting with “%SYS-5-CONFIG_P”. These logs are created when someone creates a new account on the web UI.
So, these are the mitigations that you should consider to be safe from exploitation. Additionally, when you patch the vulnerability, utilize a top-notch SSL certificate for your HTTP/S server. It will help retain the data integrity, availability, and confidentiality.
The Cisco IOS XE vulnerability leverages illegitimate actors to access the public-facing network devices and utilize its web UI with admin controls. Currently, only a few versions of the operating system have received a patch.
And until Cisco releases a final patch for all the versions and devices, you should follow the mitigation mechanism mentioned above. It will help you safeguard your devices and network from arbitrary code execution and unauthorized access.