A new critical vulnerability has been announced in Cisco IOS XE Software Web UI. Tracked as CVE-2023-20198, and with a CVSS score of 10, the maximum possible, the vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.
An attacker can use the compromised account to gain control of the affected system. Resulting in complete system takeover.
This critical vulnerability affects the Web UI, which is an embedded GUI-based system-management tool that allows the system provision, system deployment and management. The tool comes with a default image, and it does not require enabling or installing any license on the system. The web UI can also build configurations, monitor, and troubleshoot the system without CLI expertise.
This vulnerability affects Cisco IOS XE Software only if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands. In order to determine the HTTP server configuration, the following steps can be taken:
- Log in to the system
- Use the “show running-config | include ip http server|secure|active” command in the CLI.
The presence of the “ip http server” or the “ip http secure-server” command in the global configuration will confirm whether the HTTP Server feature is enabled for the system.
Note: The presence of either command or both commands in the system configuration indicates that the web UI feature is enabled.
If the “ip http server” command is present and the configuration contains “ip http active-session-modules none”, the vulnerability is not exploitable over HTTP.
If the “ip http secure-server” command is present and the configuration contains “ip http secure-active-session-modules none”, the vulnerability is not exploitable over HTTPS.
Cisco currently recommends users to disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the “no ip http server” or “no ip http secure-server” command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
The below decision tree can be used to help determine if an environment is vulnerable and how to mitigate the vulnerability.
Are you running IOS XE?
- No. The system is not vulnerable. No further action is necessary.
- Yes. Is ip http server or ip http secure-server configured?
- No. The vulnerability is not exploitable. No further action is necessary.
- Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
- No. Disable the HTTP Server feature.
- Yes. If possible, restrict access to those services to trusted network
Should you have a vulnerable system and are concerned if the device has been compromised or have any concerns over your company’s environment, please contact norm. Incident Response team 24 hours a day on 0203 855 5303.
Update: Advisory to check for compromised systems regarding Cisco IOS XE Software Web UI exploit.
As an update from our emergency threat alert on 19th October regarding the Cisco IOS XE Software Web UI privilege escalation vulnerability being exploited in the wild, we are now publishing an advisory for anyone that has a Cisco IOS XE Web UI exposed to the internet to perform a basic review to check for indicators of compromise.
Cisco has now released a way to check Cisco IOS XE Web UI Systems for indicators of compromise. Talos, Cisco’s intelligence team, published a fingerprint that could check if the implant was active on Cisco IOS XE devices. By running the following command, if the HTTP response consists of a hexadecimal string, this is a high-confidence indicator that the device is compromised.
curl -k -X POST “https://DEVICEIP/webui/logoutconfirm.html?logon_hash=1”
However, multiple research sources have mentioned the number of implants that can be discovered using this method has gone down significantly, from the tens of thousands, to hundreds. This is due to the threat actor upgrading the malicious implant to do an extra header check. Therefore, for a lot of devices, the implant is still active, but now only responds if the correct Authorisation HTTP header is set.
To mitigate this extra check, an additional technique which further confirms if there is a presence of the implant, is running the following command, Using the %25 (percent encoded percent) will cause the server to respond with a different HTTP response than it normally would when the implant is not running.
curl -k “https://DEVICEIP/%25”
An indicator of malicious implant operation is a “<head><title>404 Not Found</title></head>” in the body. If the implant is not present, a different response will be displayed.
Should you have a vulnerable system and are concerned if the device has been compromised or have any concerns over your company’s environment, please contact norm. Incident Response team 24 hours a day on 0203 855 5303.
Further Reading:
Active exploitation of cisco ios xe software (Cisco Talos Intelligence)
Number of hacked cisco ios xe devices plummets from 50k to hundreds (Bleeping Computer)
Get norm.’s threat bulletin direct to your inbox
norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below: