Cisco IOS XE Privilege Escalation Vulnerability

Oct 29, 2023

On October 16, 2023, Cisco issued a security advisory regarding a significant security vulnerability, CVE-2023-20198, found in Cisco IOS XE software. This vulnerability allows unauthenticated attackers to create an account with privileged level 15 access on target devices and is actively exploited in the wild. Attackers have already taken advantage of this security flaw to gain access to thousands of devices and establish a backdoor. The activity related to this backdoor was discovered due to an existing detection rule for an older vulnerability, CVE-2021-1435. The Cisco Talos team stated on Monday:

"By leveraging existing detections, we observed the actor using Cisco's CVE-2021-1435, which Cisco patched in 2021, to install the implant after gaining access to the device. We also saw fully patched devices for CVE-2021-1435 allowing for the successful implant through an as-yet undetermined mechanism." Cisco Talos Team

Cisco IOS XE CVE-2023-20198 Privilege Escalation Vulnerability

Cisco IOS XE is an operating system that runs on various Cisco products, providing network administrators the capability to manage, configure, and monitor their devices. However, on October 16, 2023, Cisco announced a critical security vulnerability, CVE-2023-20198, in this important software. This vulnerability allows an unauthenticated attacker to create an account on devices and elevate their privileges to full administrator level. Additionally, this security vulnerability is rated with a CVSS score of 10 (Critical) and affects numerous devices worldwide.

Attack Scenario and Impacts

Cyber threat actors have exploited this security vulnerability to gain access to target systems. Attackers use this access to implant another vulnerability, CVE-2021-1435. This implant spreads to thousands of Cisco devices, and it's written in the Lua programming language, granting attackers the ability to execute arbitrary commands via HTTP POST requests. The implant is not persistent, but adversaries can reinstall it using the previously established administrative account. Threat actors also delete logs and remove users to cover their tracks.

Mitigation of the Security Vulnerability

Cisco has released a patch for CVE-2023-20198, and organizations should closely monitor updates and apply them to vulnerable IOS XE software as soon as possible.

However, if a patch is not available or cannot be applied, organizations can take some mitigation measures:

1. Disable the HTTP/S Server Feature on Internet-Facing Systems

This security vulnerability is present in the Cisco IOS XE software's webUI feature. Organizations can temporarily disable the HTTP and HTTPS server features on publicly accessible physical and virtual devices, making it harder for attackers to exploit this vulnerability.

2. Restrict Access to the HTTP/S Server Feature

If disabling the HTTP and HTTPS server features is not practical, organizations can restrict access to these services to trusted networks. This can prevent attackers from accessing them over the internet.

3. Check for Unknown User Accounts

Attackers create new user accounts using CVE-2023-20198. Security teams should check local users on affected products and identify any unknown accounts. Pay particular attention to usernames like "cisco_tac_admin," "cisco_support," and "cisco_sys_manager."

4. Check for the Presence of the Implant

Attackers use the implant as a backdoor. A specific command can be used to detect the presence of the implant. If the implant is present, the command will return a hexadecimal string:

curl -k -X POST "https://Cisco_Device_IP/webui/logoutconfirm.html?logon_hash=1"

Conclusion

CVE-2023-20198 poses a significant threat to devices using Cisco IOS XE software. This article provides an in-depth examination of the security vulnerability and outlines measures organizations can take to protect against this threat. Keeping up with updates and implementing mitigation measures when necessary will help organizations be better prepared for such critical security vulnerabilities.

October 18, 2023

Cisco 18 October

October 17, 2023

Cisco 17 October

References:

https://en.cyberhat.online/forum/daily-cve-english/security-vulnerabilities-released-16-october-2023
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=labels%3D%60cisco-xe-webui%60
https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/

Trending

Server-Side Request Forgery (SSRF) Vulnerability in SmartRobot by INTUMIT

The Silent Threat in Systems: Two New Vulnerabilities in Tenable Network Monitor

Prisma Access Browser Security Update: Take Action to Address Critical Vulnerabilities

Remote Code Execution in EV Charging Stations

High-Severity Referrer-Policy Vulnerability in Google Chrome

🚨 Security Alarm on Apple Devices 🚨

Critical Vulnerability in KUNBUS Revolution Pi OS

Cisco IOS XE Privilege Escalation Vulnerability

Cisco IOS XE Privilege Escalation Vulnerability

Cisco IOS XE CVE-2023-20198 Privilege Escalation Vulnerability

Attack Scenario and Impacts

Mitigation of the Security Vulnerability

1. Disable the HTTP/S Server Feature on Internet-Facing Systems

2. Restrict Access to the HTTP/S Server Feature

3. Check for Unknown User Accounts

4. Check for the Presence of the Implant

Conclusion

October 18, 2023

October 17, 2023

References:

Post a Comment

İletişim Formu