Updateed, 31/10/2023 - Horizon3 reveals that Cisco's patches for CVE-2023-20198 are incomplete
On October 25, Horizon3 researchers published a report detailing Cisco's patch for the CVE-2023-20198 vulnerability. Based on their findings, Cisco IOS XE uses a custom version of Nginx called OpenResty, which is capable of executing Lua scripts and whose configuration is dynamically generated by the "iosd" binary.
Analysis of the patch notably highlighted the fact that Cisco has now strengthened authentication for access to web services. The vendor introduced a new header called "Proxy-Uri-Source" to access some services, including to key components such as WSMASendCommand endpoints. Horizon3 explains how Cisco attempted to mitigate the issue by allowing only authenticated access to WSMASendCommand services via a check of this "Proxy-Uri-Source" header.
On october 30, Horizon3 announces that Cisco's patch is not fully protecting against the issue for several reasons:
These findings raise questions about the full effectiveness of the security measures implemented to prevent this type of attack, and could force Cisco to reconsider its patching strategy for this vulnerability. It is also possible that Cisco will reserve further CVE numbers for new vectors found in relation with this vulnerability.
Along with these explanations, Horizon3 researchers publicly released a fully working PoC. The latter manages to create a new user with privilege level 15, meaning full administrative privileges on the device. Using it, an attacker could bypass authentication on Cisco IOS XE devices. The PoC relies on a specially crafted POST request towards the Web Management Service Agent (WMSA) service in iosd, used for the management and configuration of Cisco devices. By encoding characters in a specific way in the POST request, the attacker can bypass the protections implemented in Cisco IOS XE's Nginx web server.
Furthermore, our latest scans reveal that the number of compromised instances has remained stable (with at least 24,000 instances still compromised). But the public release of the PoC and the bypass of the current patch may incite more threat actors to start exploiting this vulnerability.
The risk level associated to this advisory thus remains high for now.
Updated , 24/10/2023 - Threat actors tried to hide implants on Cisco devices, most remain compromised
As we anticipated, the operation which managed to very rapidly hide implants located on compromised Cisco assets was conducted by the attackers themselves, in an effort to hide the backdoors from public oversight. Indeed, threat actors added an authorization header necessary for viewing the malicious implant, that is now provided within the curl command recommended by Cisco in an update of their initial advisory:
[curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"]
[curl -k "https[:]//DEVICEIP/%25"]
Cisco added this disclaimer to this new detection capability:
In the end, this latest move by the threat actor means most implants are still present
on the instances. This is confirmed by the new scans conducted since, for example by
ShadowServer, which still found more than 30,000 compromised devices. It also means the backdoor remains available to the threat actors, a single group being still believed to be behind this campaign. This also means the original hacker is still active, even though we don't know the real objective behind this spree yet, nor who it might be.
As of writing, there is no working public PoC for the exploited vulnerability, limiting the risk that other opportunistic attackers start exploiting them. We did actually notice an increase of scanning attempts trying to do reconnaissance of the exposed web UI using the classic Cisco IOS XE path (i.e. "/webui/logoutconfirm.html?logon_hash=1").
The risk level associated to this advisory remains high for now.
17 and 20/10/2023
According to a threat advisory released by Cisco Talos on October 16, a new and maximum severity 0-day vulnerability in its IOS XE Software is being currently leveraged by at least one threat actor to gain full administrator privileges and take complete control of affected routers. Tracked as CVE-2023-20198 (link to detailed page for our clients), this critical flaw is yet to be patched by the vendor. However, users can disable the HTTP server feature from Internet-facing assets, which would remove the attack vector and block incoming attacks.
The vendor warned that this vulnerability only affects physical and virtual devices with the Web User Interface (Web UI) feature enabled, that also have the HTTP or HTTPS Server feature toggled on. Administrators of such at-risk assets should temporarily disabled this feature to mitigate the risks (or restrict access to trusted networks), after conducting some simple investigations (suspicious accounts created, trafic from 2 malicious IP addresses, implant located on the system).
Sign up for our World Watch newsletter for further updates on this case and future security events & incidents.World Watch
According to Cisco, when exploited, this vulnerability allows an attacker to create a malicious account on the affected device with high privileges, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity. The vulnerability and the attacks were discovered by Cisco's Technical Assistance Center (TAC) at the end of September after reports of unusual behavior on a customer device.
Following a thorough investigation, the company traced back the malicious activity to September 18, when an authorized user created a local user account with the username "cisco_tac_admin" from a suspicious IP address. On October 12, another "cisco_support" local user account was created from a second suspicious IP address. The attackers also deployed a malicious implant to execute arbitrary commands at the system or IOS levels. Cisco Talos believes that these two clusters of activity were launched by the same threat actor:
To drop this backdoor, the attackers leveraged a vulnerability tracked as CVE-2021-1435 (link to detailed page for our clients) which was patched by the vendor back in 2021. But here the flaw was successfully exploited even in patched devices "through an as of yet undetermined mechanism" added Cisco Talos.
As a workaround, users can disable the HTTP server feature on Internet-facing systems, which would remove the attack vector and block incoming attacks. If not possible, you should at least restrict it to trusted networks only. CISA quickly released an alert the same day, encouraging users to apply the mitigation measure proposed by the vendor.
We also encourage you if in the scope of this threat to hunt for the 2 IP addresses provided by Cisco, and to run a command provided by Cisco to check whether the implant was installed or not on your device:
# curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1" #
(Disclaimer: this check works only if the attacker restarted the web server).
3 new Snort signatures were also released by the vendor.
Cisco updated its advisory, as they identified the privilege escalation 0-day flaw used in conjunction with CVE-2023-20198 in this attack. This vulnerability received a new CVE identifier CVE-2023-20273 and is actually not tied to one older vulnerability (CVE-2021-1435), initially believed to be leveraged through a new mean. Furthermore, Cisco announced the progressive release of patches starting on October 22, with a first one available (17.9.4a, for the 17.9 branch) already. Older branches will most probably be fixed in upcoming days.
A workaround user can disable the HTTP server feature on internet-facing systems, which would remove the attack vector and block incoming attacks. Cisco Talos also asks users to use the no ip http server or no ip http secure-server command in global configuration mode. Organizations should also look for unexplained or recently created user accounts as potential indicators of malicious activity associated with this threat.
Orange Cyberdefense's Datalake platform provides access to Indicators of Compromise (IoCs) related to this threat, which are automatically fed into our Managed Threat Detection services. This enables proactive hunting for IoCs if you subscribe to our Managed Threat Detection service that includes Threat Hunting. If you would like us to prioritize addressing these IoCs in your next hunt, please make a request through your MTD customer portal or contact your representative.
Orange Cyberdefense's DataLake service offers the ability to automatically feed network-related IoCs into your security solutions. To learn more about this service and to find out which firewall, proxy, and other vendor solutions are supported, please get in touch with your Orange Cyberdefense Trusted Solutions representative.