On October 16, Cisco released an advisory in reaction to the active exploitation of an undisclosed critical vulnerability. This zero-day, identified as CVE-2023-20198, has been assigned a CVSS score of 10.0 and is found within the web User Interface (UI) component of Cisco IOS XE Software. This Cisco IOS XE software serves as the operating system for Cisco’s sophisticated enterprise networking hardware.
The CVE-2023-20198 vulnerability permits a remote, unauthenticated attacker to establish an account on a vulnerable system with privileged access at level 15. Subsequently, the attacker can leverage this account to take control of the compromised system.
A Shodan search has identified over 144,000 instances exposed to CVE-2023-20198, with the United States having the highest number, followed by the Philippines and Chile, among other countries.
This vulnerability impacts all the Cisco IOS XE Software devices when the web UI feature is enabled. Enabling the web UI feature is achieved by utilizing either the “ip http server” or “ip http secure-server” commands.
To ascertain the activation status of the HTTP Server feature on a system, access the system and employ the CLI (Command Line Interface) to execute the command “show running-config | include ip http server|secure|active.” This will inspect the global configuration for the existence of the “ip http server” or “ip http secure-server” command.
If either of these commands is found, it signifies that the HTTP Server feature is enabled for the system.
- If the configuration includes both the “ip http server” command and “ip http active-session-modules none,” the vulnerability cannot be exploited over HTTP.
- If the “ip http secure-server” command is configured alongside “ip http secure-active-session-modules none,” the vulnerability cannot be exploited over HTTPS.
Leveraging CVE-2023-20198 to Target Cisco IOS XE
Cisco detected initial signs of potentially malicious behavior on September 28, 2023, and traced related actions back to September 18. These suspicious actions consisted of an authorized user establishing a local account named “cisco_tac_admin” from the IP address 5.149.249[.]74. This activity came to a halt on October 1, with no other linked actions.
Subsequently, Cisco detected a new set of interconnected activities on October 12, all commencing on the same day. In this case, an unauthorized user established a local account by the name of “cisco_support” from the IP address 154.53.56[.]231. In contrast to the September incident, the October incident encompassed additional actions. This included the deployment of an implant created in Lua, which included a configuration file called “cisco_service.conf.” This configuration file defined a fresh web server endpoint for interfacing with the implant, granting the attacker the capability to execute arbitrary commands.
The attacker utilized CVE-2021-1435, which is a command injection vulnerability found in the Web UI component of IOS XE, to install the implant once access to the device was obtained. Notably, Cisco has observed instances where the implant was installed on devices that had been patched against CVE-2021-1435, and the method used for this installation remains ‘undetermined.’
As per Cisco’s assessment, there is a high likelihood that these patterns of activity have a common origin (Same TA), implying that the October incidents seem to be an extension or progression of the activities observed in September.
The implant is coded in Lua, which is designed to enable arbitrary command execution. To employ this implant, the attacker is required to generate an HTTP POST request to the device, delivering three functions, as mentioned in the figure below.
The initial function is determined by the “menu” parameter, which is required to exist and should not be empty. This function returns a string of numbers enclosed within forward slashes, potentially indicating the implant’s version or installation date. The second function is determined by the “logon_hash” parameter, which must be configured as “1.” This function provides an 18-character hexadecimal string that is fixed within the implant’s code.
The third function is likewise controlled by the “logon_hash” parameter, which verifies if the parameter matches a 40-character hexadecimal string embedded in the implant’s code. Another essential parameter here is “common_type,” which must contain data and determine whether the code is executed either at the system level or the IOS level. For system-level execution, the “common_type” parameter should be set to “subsystem,” while for IOS-level execution, it should be set to “iox.” The IOX commands are executed with a privilege level of 15.
In the majority of cases where the implant is installed, both the 18-character hexadecimal string in the second function and the 40-character hexadecimal string in the third function are distinct. However, in a few instances, these strings were identical on various devices. This implies that there might be a method for TA to derive the value utilized in the third function from the one obtained in the second function, serving as a type of authentication required for the discretionary command execution offered by the third function.
Cyble Global Sensor Intelligence (CGSI)
The Cyble Global Sensor Intelligence (CGSI) network identified exploitation attempts of CVE-2023-20198 on October 17, 2023. Analysis of the attack patterns observed by CGSI indicates that the attackers aimed to target vulnerable Cisco IOS XE assets in the following countries:
- United States
- United Kingdom
The figure below shows the exploitation attempt observed in the CGSI network. As mentioned in the Cisco Talos blog, the attackers are trying to send POST requests with the “menu” parameter. The post request returns a string of numbers representing the implant’s version or installation date.
The emergence of CVE-2023-20198, a critical zero-day vulnerability within the web User Interface component of Cisco IOS XE Software, poses a significant threat. With a CVSS score of 10.0, it allows remote and unauthenticated attackers to gain privileged access to vulnerable systems, thereby putting the integrity and security of Cisco’s enterprise networking infrastructure at risk. The fact that over 144,000 instances have been exposed to this vulnerability underscores the urgency for organizations to address this issue promptly. Implementing mitigation measures, such as disabling the HTTP server feature and closely monitoring system logs for indicators of compromise, is crucial to safeguard against potential attacks and ensure the integrity of Cisco devices.
Currently, there are no available workarounds to mitigate this vulnerability. However, CISCO advises customers to disable the HTTP server feature on all Cisco IOS XE systems exposed to the internet. To disable the HTTP Server feature, CISCO recommends using the no ip http server or no ip http secure-server command in global configuration mode. Also, implementing access controls to restrict access to the HTTP Server feature from untrusted sources is a reliable and recommended way to protect against the exploit.
Cisco has also issued specific Snort rule IDs to identify exploitation attempts:
- 3:50118:2 – can trigger an alert for the initial implant injection.
- 3:62527:1 – can trigger an alert for interactions with the implant.
- 3:62528:1 – can trigger an alert for interactions with the implant.
- 3:62529:1 – can trigger an alert for interactions with the implant.
Detect Indicators of Compromise (IoCs) in Cisco IOS XE Instances
- To check for the presence of the implant, Cisco Talos has provided the following command where “systemip” represents the IP address of the system to be checked. If the response returns a hexadecimal string, it indicates the presence of the implant.
- curl -k -X POST https://systemip/webui/logoutconfirm.html?logon_hash=1
- Cisco Talos also suggests reviewing the system logs to identify messages like “%SYS-5-CONFIG_P:” or “%SEC_LOGIN-5-WEBLOGIN_SUCCESS:” and that involve new or unknown usernames.
- In addition, checking the logs to identify a message like “%WEBUI-6-INSTALL_OPERATION_INFO” that contains an unfamiliar filename indicates the presence of the infection.
- VulnCheck’s open-source contributions offer a scanning tool available on GitHub for detecting implanted IOS XE systems.
|Malicious IPs||IPs observed in Exploitation attempt|