Exploit Released for Cisco IOS XE Zero-day Vulnerability


Cisco was reported with a critical vulnerability last week, which has been actively exploited by threat actors in the wild. The vulnerability was assigned with the CVE-2023-20198 and was given a severity rating of 10.0 (Critical).

This particular vulnerability affects Cisco IOS XE software installed in thousands of Cisco devices, including routers, switches, and many other networking devices. However, Cisco has patched this vulnerability and has released a security advisory.

EHA

CVE-2023-20198: Authentication Bypass in Cisco IOS XE Web UI

This vulnerability exists in the Web UI of Cisco IOS Xe, which will allow an unauthenticated threat actor to elevate their privileges and create an account on an affected system with privilege level 15 access (Unlimited access). 

This new account will provide complete control over the device to the threat actor, after which arbitrary commands can be executed. The severity for this vulnerability has been given as 10.0 (Critical).

Exploit PoC

The threat actor must reach the webui_wsma_http or webui_wsma_https endpoints somehow as a prerequisite. Post this, they can craft a malicious POST request with the endpoint /%2577ebui_wsma_HTTP that bypasses the Nginx matches to reach the WMSA service in iosd.

Exploit Released for Cisco IOS XE Zero-day Vulnerability
Exploit HTTP request (Source: Horizon3)

The WSMA (Web Services Management Agent) also allows users to execute commands and configure the system through SOAP requests. Per Cisco’s documentation, SOAP requests can be used to access the configuration feature.

Furthermore, this service can also create a new user with privilege level 15 by sending the CLI command username privilege 15 secret . To confirm the exploitation, the Administration -> User Administration panel in the UI can be used to see the new user. 

A complete report about this proof-of-concept has been published by Horizon3, which provides detailed information about the exploit theory, method of exploitation, and other details.

To fix this vulnerability, Cisco has implemented a Proxy-Uri-Source header added in the patch, which prevents threat actors from accessing the WSMA service. The default header value has been set to global and to webui_internal for legitimate requests. 

Fixed in Release

Cisco IOS XE Software Release Train First Fixed Release Available
17.9 17.9.4a Yes
17.6 17.6.6a Yes
17.3 17.3.8a TBD
16.12 (Catalyst 3650 and 3850 only) 16.12.10a Yes

Source: Cisco

It is recommended that users of Cisco devices with Cisco IOS XE software upgrade to the latest version to prevent this vulnerability from getting exploited.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.



Source link