Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
17 October 2023
Cisco has confirmed a critical vulnerability (CVE-2023-20198 CVSS 10.0 critical). This vulnerability lays within the web UI feature of Cisco IOS XE. If this is exposed to the internet or to untrusted networks then this can be exploited. An unauthenticated attacker can remotely create an account on the affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
UPDATE: Cisco has provided security updates for the affected products. These will distributed through their usual channels where updates are delivered.
Cisco has provided a detailed description on the issue:
This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.
Determine the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a system, log in to the system and use the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present, the HTTP Server feature is enabled for the system.
The following example shows the output of the show running-config | include ip http server|secure|active command for a system that has the HTTP Server feature enabled:
Router# show running-config | include ip http server|secure|active
- ip http server
- ip http secure-server
Note: The presence of either command or both commands in the system configuration indicates that the web UI feature is enabled.
If the ip http server command is present and the configuration also contains ip http active-session-modules none, the vulnerability is not exploitable over HTTP.
If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.
Cisco also has provided a “Indicator of compromise”:
To determine whether a system may have been compromised, perform the following checks:
Check the system logs for the presence of any of the following log messages where user could be cisco_tac_admin, cisco_support or any configured, local user that is unknown to the network administrator:
- %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line
- %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023
Note: The %SYS-5-CONFIG_P message will be present for each instance that a user has accessed the web UI. The indicator to look for is new or unknown usernames present in the message.
Check the system logs for the following message where filename is an unknown filename that does not correlate with an expected file installation action:
- %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename
Cisco Talos has provided the following command to check for the presence of the implant where systemip is the IP address of the system to check. This command should be issued from a workstation with access to the system in question:
- curl -k -X POST https://systemip/webui/logoutconfirm.html?logon_hash=1
If the request returns a hexadecimal string, the implant is present.
Note: If the system is configured for HTTP access only, use the HTTP scheme in the command example.
The following Snort rule IDs are also available to detect exploitation:
- 3:50118:2 – can alert for initial implant injection
- 3:62527:1 – can alert for implant interaction
- 3:62528:1 – can alert for implant interaction
- 3:62529:1 – can alert for implant interaction
There are security recommendation provided by them and a recently released security patch 23 October and will push them through the usual update channel:
Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
The following decision tree can be used to help determine how to triage an environment and deploy protections:
- Are you running IOS XE?
- The system is not vulnerable. No further action is necessary.
- Is ip http server or ip http secure-server configured?
- The vulnerability is not exploitable. No further action is necessary.
- Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
- Disable the HTTP Server feature.
- If possible, restrict access to those services to trusted networks.
When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services. If you are unsure of these steps, work with your support organization to determine appropriate control measures.
After implementing any changes, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the changes are not reverted in the event of a system reload.
A detailed summary can be found here