Active Exploitation of Critical Zero-Day Vulnerability in Cisco IOS XE Software

Cisco has released security updates to address zero-day vulnerabilities (CVE-2023-20198 and CVE-2023-20273) in the web User Interface (UI) feature of Cisco Internetworking Operating System eXtended Edition (IOS XE) software. The vulnerabilities are reportedly being actively exploited. CVE-2023-20198 has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10.

The vulnerabilities are:

CVE-2023-20198: Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to create an account on an affected system with privilege level 15 access, the highest possible level of access, which provides full access to all system commands and allows attackers to make configuration changes. These privileged accounts can then be used to gain control of the affected system.

CVE-2023-20273: Successful exploitation of this vulnerability could allow an attacker  to inject commands with root privileges which gives them the ability to execute arbitrary commands on the device. 

When both vulnerabilities are chained together, successful exploitation could allow an attacker to leverage on the new unauthorised local user account to exploit another component of the WebUI feature. This allows attackers to gain unauthorised access to the affected system with root privileges.

The vulnerabilities affect all Cisco IOS XE Software with web UI feature enabled.

Users and administrators of affected software are advised to update to the latest version immediately and disable the HTTP Server feature on all Cisco IOS XE systems that are connected to internet-facing networks. 

To disable the HTTP Server feature, use the “no ip http server" or "no ip http secure-server” command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature. After making the changes, use the copy “running- startup-configuration” command to save the running-configuration to prevent the changes from reverting in the event of a system reload.

Users and administrators are also recommended to perform the following checks to determine whether their device(s) have been compromised:  

• Check the system logs for the presence of any of the following log messages where "user" could be “cisco_tac_admin”, “cisco_support” or any configured, local user that is unknown to the network administrator:

  • %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line

  • %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023

  • The %SYS-5-CONFIG_P message will be present for each instance that a user has accessed the web UI. The indicator to look for is new or unknown usernames present in the message.

• Check the system logs for the following message where filename is an unknown filename that does not correlate with an expected file installation action: 

  • %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename 

Administrators may wish to consider blocking the IoCs associated with the web UI exploit, tracking the usernames associated with user accounts used by threat actors and check their firewall logs or any other relevant logs for prior connections to the network IoCs provided. The list of IoCs is shown in the table below.

Users and administrators are also advised to report any incidents involving the exploitation of the Cisco IOS XE vulnerability (or any other cybersecurity incidents) to SingCERT at https://go.gov.sg/singcert-incident-reporting-form.

More information is available here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z#REC

https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/

https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit