Cisco recently disclosed a critical privilege escalation vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software, tracked as CVE-2023-20198. This vulnerability allows an unauthenticated remote attacker to gain full administrator privileges on affected Cisco switches, routers and other devices running vulnerable versions of IOS XE.
According to Cisco’s advisory, the vulnerability exists when the web UI feature is enabled via the ip http server or ip http secure-server commands. Successful exploitation gives the attacker complete control of the device and the ability to monitor traffic, pivot to protected networks, and conduct man-in-the-middle attacks. Cisco has rated this as a maximum severity bug with the CVSS score of 10 out of 10.
This is an actively exploited zero-day vulnerability, with over 35,000 internet-facing Cisco devices already confirmed infected. Cisco has strongly urged administrators to disable the web UI feature on externally exposed devices until a patch is released. In this post, we will examine the details and impact of CVE-2023-20198, a critical privilege escalation vulnerability in Cisco IOS XE, as well as steps to detect compromise and mitigate risk.
A Short Introduction to Cisco IOS XE
Cisco IOS XE is an open and flexible operating system optimized for enterprise wired and wireless access, aggregation, core, and WAN environments. It reduces business and network complexity by serving as the single OS across Cisco’s enterprise networking portfolio.
Cisco IOS XE is supported on a wide range of Cisco products including enterprise switches like the Catalyst 9000 family, wireless controllers such as the Catalyst 9800 Series, access points like the Catalyst 9100 Series, aggregation routers including the ASR 1000 and ASR 900 Series, and branch routers like the ISR 4000 Series.
Cisco IOS XE provides several key benefits:
- Resilience – Developed with high availability in mind, Cisco IOS XE reduces planned and unplanned downtime.
- Security – It helps protect against modern cyberattacks through enhanced platform integrity, security, and resilience.
- Automation – Cisco IOS XE enables model-driven programmability, application hosting, and configuration management to automate day-to-day tasks.
With its ability to connect, secure, and automate, Cisco IOS XE helps drive operational excellence across enterprise wired and wireless environments.
Summary of CVE-2023-20198
- CVE ID: CVE-2023-20198
- Description: Privilege Escalation Vulnerability in Cisco IOS XE Software Web UI
- CVSS Score: 10.0 (Critical severity)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2023-20198 stems from insufficient access controls in the web-based user interface (web UI) of Cisco IOS XE software. When exposed to the internet, the web UI feature allows unauthenticated remote attackers to create user accounts with privilege level 15 access. This gives full administrative control of the affected device.
Successful exploitation is possible when the web UI is enabled via the ip http server or ip http secure-server commands. The attacker can then access the web UI and create a user account such as “cisco_tac_admin”. This account has complete control over the device configuration and traffic.
In addition to account creation, this flaw allows attackers to deploy malicious that allow arbitrary command execution on the compromised Cisco devices. As on October 18th, 2023 Orange’s CERT Coordination Center confirmed the compromise of 35,000 devices on twitter.
Cisco says, it first became aware of potential exploitation of this critical privilege escalation vulnerability in Cisco IOS XE software in late September 2023. The team observed two clusters of related malicious activity targeting the web UI feature.
The initial activity was observed on September 18th, in that an attacker created a local user account named “cisco_tac_admin” on a customer device from a suspicious IP address (5.149.249[.]74).
The second wave began on October 12th, with the creation of another local user “cisco_support” by an unauthorized attacker from a second suspicious IP address (154.53.56[.]231). However, this time, the team observed an implant with a configuration file named “cisco_service.conf” has been deployed.
According to Cisco, these two clusters of activity were likely conducted by the same threat actor. The September attacks appear to have been initial testing, while the October incidents showed the attacker expanding their operation by establishing persistent access through the implant.
Cisco has detailed about the implant and the initial vector in its blog post. We urge to visit the original publish here for comprehensive details.
Cisco Products Vulnerable to CVE-2023-20198
Essentially any Cisco device with IOS XE and the web UI enabled via ip http server or ip http secure-server commands is vulnerable. This encompasses many of Cisco’s enterprise wired and wireless access, aggregation, core, and WAN products.
Cisco has not yet released any software patches to address this critical IOS XE vulnerability. All vulnerable products will need to be updated once patches become available. In the meantime, follow the recommendations and check for compromise on your Cisco appliances.
To check if your Cisco device is vulnerable, you need to determine if the HTTP Server feature is enabled. This feature allows the web-based user interface that the attackers are exploiting with this vulnerability.
you can check the HTTP Server configuration by logging into the CLI of your Cisco device and running the command:
show running-config | include ip http server|secure|active
This will display any ip http server or ip http secure-server commands present in the running configuration. If either of these commands exist, then the HTTP Server feature is enabled and your device is likely vulnerable.
Specifically, the ip http server command enables HTTP access to the web interface. And ip http secure-server enables HTTPS access.
If you see the output of your command as like this, your device is vulnerable.
Router# show running-config | include ip http server|secure|active ip http server ip http secure-server
If you see this output in your device, then the vulnerability is not exploitable over either HTTP or HTTPS.
Router# show running-config | include ip http server|secure|active ip http server ip http active-session-modules none ip http secure-server ip http secure-active-session-modules none
How Do You Check Your Cisco Device is Compromised?
The first and farthermost thing to check is your system logs for any suspicious new user accounts. Specifically look for:
- Accounts like “cisco_tac_admin” or “cisco_support”
- Any other unknown privileged local users