How to Protect or Fix CVE-2023-20198 Vulnerability in Cisco IOS XE?

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Fix CVE-2023-20198 Vulnerability in Cisco IOS XE

A zero-day vulnerability was discovered by Cisco on 16 October 2023. During vulnerability analysis, it was discovered that the web UI of Cisco IOS XE is getting exploited with it. All the potential public-facing network devices are on the verge of being accessed by attackers.

But, to safeguard the businesses, Cisco released some mitigation mechanisms and patches for some OS versions. Here, you will undergo the vulnerability details and approaches to prevent unauthorized access.

What is CVE-2023-20198 Vulnerability?

The CVE-2023-20198 vulnerability is associated with the Cisco Internetwork Operating System (IOS), which is used by Cisco-manufactured products, such as switches, routers, wireless controllers, and access points. All these devices use the Cisco IOS, in which this zero-day vulnerability was discovered on 16 October 2023.

The Cisco IOS provides a web-based interface for network administrators and engineers to configure the devices and deploy them in the network. However, due to the CVE-2023-20198 vulnerability, attackers were able to gain unauthorized access, create an account, and escalate all high-level admin controls.

During the investigation, it was concluded that devices facing the public network or devices deployed in a public network are at risk. Until the patch, the organizations need to follow the mitigation mechanisms discussed further in this blog.

In addition, below are the highlights of this privilege escalation vulnerability:

  • It allows the attackers to gain unauthorized access over public-facing Cisco IOS XE network devices.
  • The attackers can create admin accounts once the access is maintained.
  • The logs can be modified and even deleted by the hackers.
  • The unauthorized user can remove other users.

In addition, once the attacker exploits the CVE-2023-20198 vulnerability, they can also exploit the CVE-2021-1435 vulnerability (Arbitrary Code Execution). One exploit leads to another, enabling illegitimate actors to gain access to the complete network or corrupt the entire system.

Furthermore, with the exploitation of CVE-2021-1435, adversaries are also capable of:

  • Installing backdoors to the network devices, leading them to intercept and modify data in transit.
  • Run code written in Lua programming language at the admin level.

How Cisco Reacted To Zero-Day Vulnerability?

Cisco followed the below steps after getting alerted about the CVE-2023-20198.

Step 1: Analyzed the vulnerability and assigned a CVSS score of 10 to it.

Step 2: Issued a public notice regarding the vulnerability and started working to patch it.

Step 3: Releases fixtures for some Cisco IOS XE versions, including 17.9, 17.6, 17.3, and 16.12. The 16.12 version patch is only for Catalyst switch series 3650 and 3850.

Further, Cisco is constantly working on creating a reliable patch for all the affected devices and versions of the Cisco IOS XE. You can check the fix for your device in the list published by Cisco.

The Ways To Protect Yourself From Web UI Privilege Escalation

Besides the fix released by Cisco, you should also execute the following mitigation mechanisms to lower the impact of CVE-2023-20198.

Mitigation #1: Disable HTTP/S on public-facing devices

The primary solution to safeguard the devices from exploiting their web UI is disabling the HTTP and HTTPS server functionality. You only need to disable it until Cisco releases a relevant update.

You can use the following steps to disable HTTP and HTTPS.

Step 1: Check the running configuration to verify whether the HTTP service is running.

show running-config | include ip http server | secure |active  

Step 2: Check for the following response

ip http server
ip http secure-server

Step 3: If you find the responses mentioned in step 2, execute the following commands.

no ip http server
no ip http secure-server
copy running-configuration startup-configuration

Mitigation #2: Disable the HTTP/S Server Access

You need to use this mitigation mechanism if you are unable to disable the HTTP/S on the Cisco devices. Here, you should restrict access to public-facing devices running on Cisco IOS XE. From the network device controller, you can restrict their services and prevent attackers.

Mitigation #3: Scan the Network for Backdoors and Implants

As you know, attackers create backdoors after gaining access to the devices. Also, they exploit the CVE-2021-1435 to execute arbitrary code. To prevent all this from happening on your network devices, scan them for detecting implants.

You can use the following command:

curl -k -X POST "https[:]//Cisco_Device_IP/webui/logoutconfirm.html?logon_hash=1"

If you receive a hash in return, then a backdoor/implant is present. You should find and remove it from the startup-config and all other memory units.

Mitigation #4: Check Devices for Unknown Accounts and act accordingly

Once an attacker accesses the Cisco IOS XE device, they first create an account with admin-level controls. You should check the total accounts on the device and cross-verify them with documentation. If you find any unknown account, validate it and delete it instantly.

Some of the usernames used by attackers are discovered, which include “cisco_tac_admin” and “cisco_support.”

In addition, you can also check the logs starting with “%SYS-5-CONFIG_P”. These logs are created when someone creates a new account on the web UI.

So, these are the mitigations that you should consider to be safe from exploitation. Additionally, when you patch the vulnerability, utilize a top-notch SSL certificate for your HTTP/S server. It will help retain the data integrity, availability, and confidentiality.

Concluding Up

The Cisco IOS XE vulnerability leverages illegitimate actors to access the public-facing network devices and utilize its web UI with admin controls. Currently, only a few versions of the operating system have received a patch.

And until Cisco releases a final patch for all the versions and devices, you should follow the mitigation mechanism mentioned above. It will help you safeguard your devices and network from arbitrary code execution and unauthorized access.

<?xml version="1.0" encoding="UTF-8"?><svg id="Layer_1" xmlns="" viewBox="0 0 109.7 29.02"><defs><style>.cls-1{fill:#fff;}</style></defs><path class="cls-1" d="m5.38,22.85c-3.1-.26-5.3-1.92-5.38-4.8h3.6c.1,1.1.67,1.85,1.78,2.09v-4.58c-2.47-.62-5.38-1.32-5.38-4.87,0-2.83,2.26-4.68,5.38-4.92v-1.94h1.54v1.94c3,.24,5.02,1.85,5.23,4.7h-3.62c-.1-.94-.67-1.66-1.61-1.94v4.54c2.5.65,5.42,1.3,5.42,4.85,0,2.45-1.92,4.73-5.42,4.97v1.94h-1.54v-1.97Zm0-10.25v-4.15c-1.1.17-1.87.84-1.87,2.06,0,1.13.77,1.7,1.87,2.09Zm1.54,3.38v4.2c1.22-.22,1.94-1.06,1.94-2.14s-.82-1.68-1.94-2.06Z"/><path class="cls-1" d="m17.62,8.33h-2.33v-3.1h5.78v17.5h-3.46v-14.4Z"/><path class="cls-1" d="m28.27,17.81c.26,1.39,1.15,2.18,2.71,2.18,1.97,0,2.83-1.46,2.83-5.4-.74,1.03-2.16,1.63-3.7,1.63-3.02,0-5.45-1.9-5.45-5.59,0-3.5,2.21-5.81,5.91-5.81,4.75,0,6.22,3.22,6.22,8.76,0,5.95-1.32,9.17-5.95,9.17-3.72,0-5.5-2.38-5.69-4.94h3.12Zm5.23-7.15c0-1.92-1.1-2.98-2.81-2.98s-2.81,1.18-2.81,2.93c0,1.58.89,2.88,2.93,2.88,1.68,0,2.69-1.13,2.69-2.83Z"/><path class="cls-1" d="m41.28,22.9c-1.22,0-2.09-.86-2.09-1.97s.86-1.97,2.09-1.97,2.04.86,2.04,1.97-.86,1.97-2.04,1.97Z"/><path class="cls-1" d="m49.54,17.81c.26,1.39,1.15,2.18,2.71,2.18,1.97,0,2.83-1.46,2.83-5.4-.74,1.03-2.16,1.63-3.7,1.63-3.02,0-5.45-1.9-5.45-5.59,0-3.5,2.21-5.81,5.91-5.81,4.75,0,6.22,3.22,6.22,8.76,0,5.95-1.32,9.17-5.95,9.17-3.72,0-5.5-2.38-5.69-4.94h3.12Zm5.23-7.15c0-1.92-1.1-2.98-2.81-2.98s-2.81,1.18-2.81,2.93c0,1.58.89,2.88,2.93,2.88,1.68,0,2.69-1.13,2.69-2.83Z"/><path class="cls-1" d="m64.56,17.81c.26,1.39,1.15,2.18,2.71,2.18,1.97,0,2.83-1.46,2.83-5.4-.74,1.03-2.16,1.63-3.7,1.63-3.02,0-5.45-1.9-5.45-5.59,0-3.5,2.21-5.81,5.9-5.81,4.75,0,6.22,3.22,6.22,8.76,0,5.95-1.32,9.17-5.95,9.17-3.72,0-5.5-2.38-5.69-4.94h3.12Zm5.23-7.15c0-1.92-1.1-2.98-2.81-2.98s-2.81,1.18-2.81,2.93c0,1.58.89,2.88,2.93,2.88,1.68,0,2.69-1.13,2.69-2.83Z"/><path class="cls-1" d="m81.79,0h3.29l-6.48,27.07h-3.29L81.79,0Z"/><path class="cls-1" d="m96.89,9.43h3.58l-8.23,19.59h-3.58l2.88-6.62-5.33-12.96h3.77l3.43,9.29,3.48-9.29Z"/><path class="cls-1" d="m105.62,22.73h-3.36v-13.3h3.36v2.06c.84-1.37,2.23-2.26,4.08-2.26v3.53h-.89c-1.99,0-3.19.77-3.19,3.34v6.62Z"/></svg>