Cisco Talos has recently discovered and reported active exploitation of a severe vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software. This flaw tracked as CVE-2023-20198, poses a significant threat to the security of devices running Cisco IOS XE software with the HTTP or HTTPS Server feature enabled.
Key Findings:
Successful exploitation of this vulnerability empowers an attacker to create an account on the compromised device with privilege level 15 access, effectively granting them full control over the device and enabling unauthorized activities.
Affected entities are strongly urged by Cisco to promptly follow the outlined procedures provided in Cisco’s Product Security Incident Response Team (PSIRT) advisory.
RephraseCisco noticed suspicious activity starting from September 18, 2023. During this period, attackers were found to be creating unauthorized local user accounts. This phase of the operation was extended until October 1.
Technical Assistance Centre (TAC) and Cisco Talos Incident Response (Talos IR) discovered additional relevant activity on October 12 involving the deployment of an implant made up of a configuration file called “cisco_service.conf.” The implant enables the system or IOS-level execution of any command.
The Lua-based implant is non-persistent, which means it is deleted when the device reboots. On the other hand, freshly generated local user accounts continue to function even after reboots, giving attackers full administrator access (CVE-2023-20198).
In order to hide their footprints, the threat actor gathered data about the compromised devices, carried out preliminary reconnaissance, deleted logs, and deactivated users.
High levels of confidence indicate that the same player was responsible for the activity clusters in September and October.
The October activity indicated the actor expanding their operation.
Recommendations:
Organizations potentially affected by this activity are strongly encouraged to:
- Implement the guidance provided in Cisco’s PSIRT advisory.
- Monitor devices for unexplained or newly created users.
- Run a provided check command to detect the presence of the implant.
Conclusion
Due to its ability to give attackers complete administrator access, this active exploitation of CVE-2023-20198 poses a serious risk to the security of the affected devices. To protect these systems and lessen the damage brought on by this vulnerability, immediate action is essential.
Please be aware that this news piece is a synopsis of Cisco Talos’ original report. Readers are urged to see the official Cisco advisory for more information and advice.
Reference:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
- https://www.cisa.gov/news-events/alerts/2023/10/20/cisa-releases-guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities
- https://www.cybersecuritydive.com/news/cisco-fix-critical-vulnerability-ios-xe/697399/
- https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
