[CDP-development] TLP:GREEN (Zero-Day Alert Notification) MS-ISAC 2023-122 A Vulnerability in Cisco IOS XE Software Web UI Could Allow for Privilege Escalation

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Tue Oct 17 08:37:58 PDT 2023 

Good morning,

The SOC Services team is reporting on the vulnerability: MS-ISAC 2023-122 A Vulnerability in Cisco IOS XE Software Web UI Could Allow for Privilege Escalation.  Due to its high visibility, knowledge of the software installed in the state environment, and active exploitations, we are providing this in-depth information:

History: On October 16, 2023, Cisco released a security advisory addressing CVE-2023-20198 which is a vulnerability in the Web User Interface feature of their Cisco IOS XE software.  The CVE is currently assigned a CVSSv3 rating of 10 (Critical) which was established on October 16, 2023.  Currently no patch is available, however mitigations are provided by Cisco until a patch is made available.

The following products are affected:

  *   Any Cisco IOS XE device with the Web UI feature (http server or http secure-server) enabled.

Further information is available from Cisco:

  *   Cisco Security Advisory - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
  *   Cisco Talos Intelligence Blog - https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/


Intelligence: As of October 16, 2023, Cisco is aware that CVE-2023-20198 has been exploited in the wild for the past few weeks in multiple cases, likely by the same threat actor.  It is very likely that the exploit will continue to be leveraged by threat actors over the coming months.

Workarounds:  Cisco does not provide workarounds to address the vulnerability specifically.  However, Cisco does provide guidance to mitigate risk.  The following recommendations were published as of October 17, 2023.

Cisco strongly recommends disabling the HTTP server feature on all internet-facing systems by using the commands "no ip http server" or "no ip http secure-server" in global configuration mode.  Both commands are required if both HTTP and HTTPS servers are in use.

If services require HTTP/HTTPS communication (such as eWLC), then access to the services should be restricted to trusted networks only.

Further guidance may continue to be provided and updated at the Cisco Security Advisory linked above, and it is strongly recommended to continue referencing the advisory for updated guidance.

How it works:  A remote, unauthenticated attacker can create an account on an affected system with privilege level 15 access and gain control of the affected system.

Post-Exploit: Upon successful exploitation of the vulnerabilities, an attacker is able to create additional user accounts and use them for continued access for conducting malicious activity.  Cisco has observed that the attacker also utilizes CVE-2021-1435 to implant a configuration file that defines a new web server endpoint will interact with.  In some cases, the implant was installed successfully even though the device was patched against the CVE.  The new endpoint is then utilized by the attacker to execute arbitrary commands at the system level or IOS level.  In order for the implant to become active, the web server must be restarted.

The implant is saved under the file path "/usr/binos/conf/nginx-conf/cisco_service.conf" which contains two variable strings of hexadecimal characters.  Although the implant is not persistent after a device reboot, any attacker-created user accounts will remain active.  The attacker must create an HTTP POST request to the device to deliver functions as a means of authentication for the attacker to execute arbitrary commands.

Organizations should analyze affected devices for unexplained or newly created user accounts.  Review system logs for rogue user accounts by looking for the following log messages:
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line
%SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at time

In addition, the following command may be ran to determine if the implant is present on a device:
curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"
If a hexadecimal string is returned after the command is ran, the implant is present.

System logs can also be reviewed for suspicious or unknown filenames that may not correlate with an expected file install action:
%WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename

The following Snort ID rules are also available to address the threat:

  *   3:50118:2
  *   3:62527:1
  *   3:62528:1
  *   3:62529:1

The following IP addresses were used in previously observed attacks:

  *   5.149.249[.]74
  *   154.53.56[.]231

The following usernames were used in previously observed attacks:

  *   cisco_tac_admin
  *   cisco_support

As of October 17, 2023, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
183167<https://www.tenable.com/plugins/nessus/183167>
Cisco IOS XE Software Web UI Privilege Escalation (cisco-sa-iosxe-webui-privesc-j22SaA4z)
Critical
148103<https://www.tenable.com/plugins/nessus/148103>
Cisco IOS XE Software Web UI Command Injection (cisco-sa-iosxe-webcmdinjsh-UFJxTgZD)
High

Recommended Actions:


  *   Review logs on affected devices.
  *   Remove or deny access to unnecessary and potentially vulnerable devices to prevent abuse by adversaries.
  *   Maintain good cyber hygiene and follow vendor patching and security hardening recommendations.
  *   Verify host has not been compromised before applying patches and mitigations.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01D9F1DD.F2FA0BC0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231017/113b7af4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231017/113b7af4/attachment-0001.png>

More information about the CDP-development mailing list