top of page

Critical Cisco IOS XE Web UI Vulnerability CVE-2023-20198: Immediate Mitigation Required

3 min read
CVE Image for report on CVE-2023-20198

Executive Summary

CVE-2023-20198 is a critical vulnerability affecting the Web UI feature of Cisco IOS XE Software. With a CVSS score of 10.0, this flaw allows a remote, unauthenticated attacker to create an account with privilege level 15 access, granting them full control over the affected device. This vulnerability has been actively exploited in the wild, posing a significant risk to organizations using Cisco IOS XE Software. Immediate action is required to patch affected systems and implement additional security measures to mitigate the risk of exploitation.

Technical Information

CVE-2023-20198 is a critical security flaw in the Web UI feature of Cisco IOS XE Software. The vulnerability arises from improper input validation and injection handling, allowing an attacker to create an account with privilege level 15 access. This level of access provides full administrative control over the affected device, enabling the attacker to execute arbitrary commands, install implants, and maintain persistent access.

The vulnerability affects multiple versions of Cisco IOS XE Software, specifically versions 17.9, 17.6, 17.3, and 16.12 (for Catalyst 3650 and 3850 only). The issue has been addressed in versions 17.9.4a, 17.6.6a, 17.3.8a, and 16.12.10a, respectively. To determine if the HTTP Server feature is enabled, administrators can use the command

show running-config | include ip http server|secure|active
in the CLI. If the
ip http server
or
ip http secure-server
command is present, the HTTP Server feature is enabled.

The attack vector for this vulnerability is remote, requiring no privileges or user interaction. The impact of successful exploitation is severe, as it grants the attacker full control over the device, potentially leading to data breaches, network disruptions, and further exploitation within the network.

Exploitation in the Wild

CVE-2023-20198 has been actively exploited in the wild. Attackers have been observed using this vulnerability to gain initial access to systems and then issuing privilege 15 commands to create local user accounts with administrative privileges. This has been used to install implants and maintain persistent access to compromised devices. Indicators of Compromise (IOCs) include the unusual creation of local user accounts with administrative privileges, unexpected changes in device configurations, and the presence of implants or backdoors on affected devices.

APT Groups using this vulnerability

While specific Advanced Persistent Threat (APT) groups exploiting this vulnerability have not been publicly identified, the nature of the exploit suggests that it could be leveraged by state-sponsored actors or advanced persistent threat groups due to the high level of access it provides. The sectors and countries targeted by these APT groups are not explicitly mentioned, but the critical nature of the vulnerability implies a broad range of potential targets.

Affected Product Versions

The following Cisco IOS XE Software versions are affected if the Web UI feature is enabled: - 17.9: Fixed in 17.9.4a - 17.6: Fixed in 17.6.6a - 17.3: Fixed in 17.3.8a - 16.12 (Catalyst 3650 and 3850 only): Fixed in 16.12.10a

Workaround and Mitigation

To mitigate the risk posed by CVE-2023-20198, organizations should apply the latest security updates provided by Cisco to address this vulnerability. Additionally, network segmentation should be implemented to isolate critical network segments and limit the impact of a potential breach. Robust monitoring and detection mechanisms should be in place to identify unusual account creation and privilege escalation activities. Access to the Web UI feature should be restricted, and multi-factor authentication (MFA) should be used where possible.

References

For further information and technical details, please refer to the following resources: - NVD - CVE-2023-20198: https://nvd.nist.gov/vuln/detail/CVE-2023-20198 - Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - Kroll Cyber Risk: https://www.kroll.com/en/insights/publications/cyber/skeletonxe-responding-to-cisco-vulnerability - Rapid7 Blog: https://www.rapid7.com/blog/post/2023/10/17/etr-cve-2023-20198-active-exploitation-of-cisco-ios-xe-zero-day-vulnerability/ - UpGuard Blog: https://www.upguard.com/blog/cisco-cve-2023 - GreyNoise Blog: https://www.greynoise.io/blog/unpacking-cve-2023-20198-a-critical-weakness-in-cisco-ios-xe - Arctic Wolf Blog: https://arcticwolf.com/resources/blog/cve-2023-20198/ - SOC Prime Blog: https://socprime.com/blog/cve-2023-20198-detection-cisco-ios-xe-zero-day-vulnerability-actively-exploited-to-install-implants/

Rescana is here for you

At Rescana, we understand the critical importance of staying ahead of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and mitigate vulnerabilities like CVE-2023-20198. We provide comprehensive threat intelligence, real-time monitoring, and actionable insights to ensure your systems remain secure. If you have any questions about this report or any other issue, please contact us at ops@rescana.com.

3 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page