A previously unknown vulnerability (CVE-2023-20198) affecting networking devices running Cisco IOS XE software is being exploited by a threat actor to take control of the devices and install an implant, Cisco Talos researchers have warned today.
About CVE-2023-20198
CVE-2023-20198 is a privilege escalation vulnerability in the web UI feature of Cisco IOS XE software, which is installed on various Cisco controllers, switches, edge, branch and virtual routers.
The web UI is an embedded GUI-based tool that can be used to provision, monitor and troubleshoot the system, build configurations, simplify system deployment and manageability, and enhance the user experience. It is not supposed to be exposed to the internet or to untrusted networks.
Additional details about the vulnerability haven’t been disclosed, but it’s known that it allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, i.e., the highest possible level of access that can run all commands and can make configuration changes.
The flaw affects both physical and virtual devices running Cisco IOS XE software, and is exploitable only if the web UI is enabled.
The attacks
In multiple attacks analyzed by Cisco’s threat analysts, the (presumably same) threat actor exploited CVE-2023-20198 to create a local user account and exploited an old command injection flaw in the web UI (CVE-2021-1435) to install the implant.
In the first attack, likely started on September 18, the attacker limited themselves to creating a local user account under the username “cisco_tac_admin”. In a later one, started on October 12, the attacker created a local user account under the username “cisco_support” and then proceeded to deploy a configuration file (“cisco_service.conf”) that serves as an implant.
“The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters (…) that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed,” Cisco’s researchers explained.
The implant isn’t capable of persisting after a reboot, but the local user accounts created by the attacker do. According to Cisco, the implant “facilitates” arbitrary command execution.
There’s also an interesting tidbit shared by the researchers: Though a patch for CVE-2021-1435 has been provided back in 2021 and hopefully implemented by many, they “have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as of yet undetermined mechanism.”
What to do?
Cisco is working on a patch for CVE-2023-20198, but in the meantime they advise admins to disable the HTTP Server feature (i.e., the web UI) on all internet-facing systems running Cisco IOS XE software.
Instructions of how to do it are provided in this security advisory, along with known indicators of compromise security teams can check for and Snort rules they can use.
“After disabling the HTTP Server feature, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the HTTP Server feature is not unexpectedly enabled in the event of a system reload,” the company stressed.