Select your country

Not finding what you are looking for, select your country from our regional selector:

Search

Critical vulnerability affecting Cisco IOS XE exploited in the wild (CVE-2023-20198)

man-tittar-pa-data

Updateed, 31/10/2023 - Horizon3 reveals that Cisco's patches for CVE-2023-20198 are incomplete

On October 25, Horizon3 researchers published a report detailing Cisco's patch for the CVE-2023-20198 vulnerability. Based on their findings, Cisco IOS XE uses a custom version of Nginx called OpenResty, which is capable of executing Lua scripts and whose configuration is dynamically generated by the "iosd" binary.

Analysis of the patch notably highlighted the fact that Cisco has now strengthened authentication for access to web services. The vendor introduced a new header called "Proxy-Uri-Source" to access some services, including to key components such as WSMASendCommand endpoints. Horizon3 explains how Cisco attempted to mitigate the issue by allowing only authenticated access to WSMASendCommand services via a check of this "Proxy-Uri-Source" header.

On october 30, Horizon3 announces that Cisco's patch is not fully protecting against the issue for several reasons:

  • First, Cisco has only added the "Proxy-Uri-Source" header to the WSMA service. This approach does not directly address the underlying vulnerability, which raises questions about the long-term resilience of this solution.
  • Secondly, Horizon3 assumes that there are other hidden access endpoints that could be exploited in the same way.
  • Finally, the PoC revealed that it was possible to bypass these protections added to Nginx by using smart encoding in the POST request.

These findings raise questions about the full effectiveness of the security measures implemented to prevent this type of attack, and could force Cisco to reconsider its patching strategy for this vulnerability. It is also possible that Cisco will reserve further CVE numbers for new vectors found in relation with this vulnerability.

Along with these explanations, Horizon3 researchers publicly released a fully working PoC. The latter manages to create a new user with privilege level 15, meaning full administrative privileges on the device. Using it, an attacker could bypass authentication on Cisco IOS XE devices. The PoC relies on a specially crafted POST request towards the Web Management Service Agent (WMSA) service in iosd, used for the management and configuration of Cisco devices. By encoding characters in a specific way in the POST request, the attacker can bypass the protections implemented in Cisco IOS XE's Nginx web server.

Furthermore, our latest scans reveal that the number of compromised instances has remained stable (with at least 24,000 instances still compromised). But the public release of the PoC and the bypass of the current patch may incite more threat actors to start exploiting this vulnerability.

The risk level associated to this advisory thus remains high for now.

 

Updated , 24/10/2023 - Threat actors tried to hide implants on Cisco devices, most remain compromised

As we anticipated, the operation which managed to very rapidly hide implants located on compromised Cisco assets was conducted by the attackers themselves, in an effort to hide the backdoors from public oversight. Indeed, threat actors added an authorization header necessary for viewing the malicious implant, that is now provided within the curl command recommended by Cisco in an update of their initial advisory:

[curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"]

Fox-IT, that first publicly mentioned this change yesterday in a tweet, also figured out another query can be made to detect whether one device is compromised, using a simple command such as:

[curl -k "https[:]//DEVICEIP/%25"]

Cisco added this disclaimer to this new detection capability:

"If this returns a 404 HTTP response with an HTML page comprising of a “404 Not Found” message, a known variation of the implant is present. A system without the implant should return either only the standard 404 HTTP response, or a JavaScript redirect 200 HTTP response. Note: The above checks should use the HTTP scheme if the device is only configured for an insecure web interface."

In the end, this latest move by the threat actor means most implants are still present
on the instances. This is confirmed by the new scans conducted since, for example by
ShadowServer, which still found more than 30,000 compromised devices. It also means the backdoor remains available to the threat actors, a single group being still believed to be behind this campaign. This also means the original hacker is still active, even though we don't know the real objective behind this spree yet, nor who it might be.

As of writing, there is no working public PoC for the exploited vulnerability, limiting the risk that other opportunistic attackers start exploiting them. We did actually notice an increase of scanning attempts trying to do reconnaissance of the exposed web UI using the classic Cisco IOS XE path (i.e. "/webui/logoutconfirm.html?logon_hash=1").

The risk level associated to this advisory remains high for now.

 

17 and 20/10/2023

According to a threat advisory released by Cisco Talos on October 16, a new and maximum severity 0-day vulnerability in its IOS XE Software is being currently leveraged by at least one threat actor to gain full administrator privileges and take complete control of affected routers. Tracked as CVE-2023-20198 (link to detailed page for our clients), this critical flaw is yet to be patched by the vendor. However, users can disable the HTTP server feature from Internet-facing assets, which would remove the attack vector and block incoming attacks.

The vendor warned that this vulnerability only affects physical and virtual devices with the Web User Interface (Web UI) feature enabled, that also have the HTTP or HTTPS Server feature toggled on. Administrators of such at-risk assets should temporarily disabled this feature to mitigate the risks (or restrict access to trusted networks), after conducting some simple investigations (suspicious accounts created, trafic from 2 malicious IP addresses, implant located on the system).

Sign up for our World Watch newsletter for further updates on this case and future security events & incidents.

World Watch

What it means

According to Cisco, when exploited, this vulnerability allows an attacker to create a malicious account on the affected device with high privileges, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity. The vulnerability and the attacks were discovered by Cisco's Technical Assistance Center (TAC) at the end of September after reports of unusual behavior on a customer device.

Following a thorough investigation, the company traced back the malicious activity to September 18, when an authorized user created a local user account with the username "cisco_tac_admin" from a suspicious IP address. On October 12, another "cisco_support" local user account was created from a second suspicious IP address. The attackers also deployed a malicious implant to execute arbitrary commands at the system or IOS levels. Cisco Talos believes that these two clusters of activity were launched by the same threat actor:

To drop this backdoor, the attackers leveraged a vulnerability tracked as CVE-2021-1435 (link to detailed page for our clients) which was patched by the vendor back in 2021. But here the flaw was successfully exploited even in patched devices "through an as of yet undetermined mechanism" added Cisco Talos.

As a workaround, users can disable the HTTP server feature on Internet-facing systems, which would remove the attack vector and block incoming attacks. If not possible, you should at least restrict it to trusted networks only. CISA quickly released an alert the same day, encouraging users to apply the mitigation measure proposed by the vendor.

We also encourage you if in the scope of this threat to hunt for the 2 IP addresses provided by Cisco, and to run a command provided by Cisco to check whether the implant was installed or not on your device:

# curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1" #

(Disclaimer: this check works only if the attacker restarted the web server).

3 new Snort signatures were also released by the vendor.

What to do

Cisco updated its advisory, as they identified the privilege escalation 0-day flaw used in conjunction with CVE-2023-20198 in this attack. This vulnerability received a new CVE identifier CVE-2023-20273 and is actually not tied to one older vulnerability (CVE-2021-1435), initially believed to be leveraged through a new mean. Furthermore, Cisco announced the progressive release of patches starting on October 22, with a first one available (17.9.4a, for the 17.9 branch) already. Older branches will most probably be fixed in upcoming days. 

A workaround user can disable the HTTP server feature on internet-facing systems, which would remove the attack vector and block incoming attacks. Cisco Talos also asks users to use the no ip http server or no ip http secure-server command in global configuration mode. Organizations should also look for unexplained or recently created user accounts as potential indicators of malicious activity associated with this threat.

 

Orange Cyberdefense Datalake service

Orange Cyberdefense's Datalake platform provides access to Indicators of Compromise (IoCs) related to this threat, which are automatically fed into our Managed Threat Detection services. This enables proactive hunting for IoCs if you subscribe to our Managed Threat Detection service that includes Threat Hunting. If you would like us to prioritize addressing these IoCs in your next hunt, please make a request through your MTD customer portal or contact your representative.

Orange Cyberdefense's DataLake service offers the ability to automatically feed network-related IoCs into your security solutions. To learn more about this service and to find out which firewall, proxy, and other vendor solutions are supported, please get in touch with your Orange Cyberdefense Trusted Solutions representative.

 

External links:

Greynoise
https://www.greynoise.io/blog/unpacking-cve-2023-20198-a-critical-weakness-in-cisco-ios-xe

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

https://www.greynoise.io/blog/unpacking-cve-2023-20198-a-critical-weakness-in-cisco-ios-xe

Cisco
https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.