Exploitation of Zero-Day Vulnerability (CVE-2023-20198) Detected in Cisco IOS XE

Cisco has raised an alert regarding a critical security vulnerability in its IOS XE software. This unpatched flaw, designated as CVE-2023-20198 and carrying a severity rating of 10.0 on the CVSS scoring system, is actively being exploited in the wild. The vulnerability is rooted in the web UI feature and is noteworthy for its impact solely on enterprise networking equipment with the web UI feature activated. Specifically, it becomes a concern when exposed to the internet or untrusted networks. It’s essential to recognize that this issue affects both physical and virtual devices running Cisco IOS XE software, provided they also have the HTTP or HTTPS server feature enabled.

A threat actor has already infected thousands of Internet exposed Cisco IOS XE devices with an implant for arbitrary code execution via an as-yet-unpatched maximum severity vulnerability in the operating system.

 

CVE-2023-20198 – Summary

  • CVE ID: CVE-2023-20198
  • CVSS Score:0
  • Vulnerability Type: Privilege Escalation
  • Affected Products: Cisco IOS XE Software
  • Impact: Remote, unauthenticated attackers can gain full control of affected systems.

 

Unaddressed Vulnerability Results in 10,000 Cisco Systems Being Compromised:

In response to reports of anomalous activity related to the identified flaw from several customers, Cisco’s security advisory acknowledged that the scale of infections exceeded the initial assessment in the advisory. To assist users, Cisco offered a command to detect the malicious implant on both physical and virtual devices. Researchers from Cisco Talos emphasized that the implants, while not persistent, can be eliminated by rebooting the systems. However, a cautionary note was sounded: any newly created admin accounts by the attacker will persist even after a reboot, prompting organizations to scrutinize recently established accounts for potential security risks.

“This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access,” Cisco said in a Monday advisory. “The attacker can then use that account to gain control of the affected system.”

The issue affects both physical and virtual devices operating Cisco IOS XE software with the enabled HTTP or HTTPS server feature. To address this, a recommended mitigation is to deactivate the HTTP server feature on systems exposed to the internet.

The networking equipment manufacturer identified the problem after detecting suspicious activities on an undisclosed customer device starting from September 18, 2023. During this period, a legitimate user created a local user account with the username “cisco_tac_admin” from an untrustworthy IP address. The abnormal behavior ceased on October 1, 2023.

On October 12, 2023, a subsequent cluster of related activities was uncovered. In this instance, a malicious actor established a local user account named “cisco_support” from a different IP address.”For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed,” Cisco stated.

The backdoor, which is stored under the file path “/usr/binos/conf/nginx conf/cisco_service.conf,” is not durable, thus it will be removed if the device is restarted. Nevertheless, the created rogue privileged accounts are still in use.

Although it is currently unclear where the threat actor came from, Cisco has linked the two sets of activity to one possible threat actor.

“The first cluster was possibly the actor’s initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant,” the company noted.

 

Remediations:

Cisco has released a security advisory with mitigation steps for CVE-2023-20198. The recommended mitigation is to disable the web UI feature on affected systems. If the web UI feature is required, Cisco recommends restricting access to the web UI to trusted networks and users.

  1. Disable the HTTP Server feature: The most effective way to mitigate the vulnerability is to disable the HTTP Server feature on affected systems. This can be done by using the following command in the CLI:
    1. no ip http server
    2. no ip http secure-server
  2. Restrict access to the web UI: If the web UI feature is required, restrict access to the web UI to trusted networks and users. This can be done by using access control lists (ACLs) or firewall rules.
  3. Using ACLs: Implement ACLs to restrict access to the web UI only to specific IP addresses or networks.
  4. Using Firewall Rules: Configure firewall rules to block unauthorized access to the web UI port (typically TCP port 80 or 443).
  5. Implement strong password policies: Enforce strong password policies for all user accounts, including complex passwords, regular password changes, and restrictions on password reuse.
  6. Monitor for suspicious activity: Continuously monitor system logs and network traffic for any signs of suspicious activity, such as unauthorized login attempts or unusual network traffic patterns.
  7. Apply software patches promptly: Once a software patch is available from Cisco, apply it immediately to address the vulnerability and prevent further exploitation.
  8. Review and update security policies: Regularly review and update security policies to ensure they align with current best practices and address emerging threats.