On Monday, 16 October, Cisco reported a critical zero-day vulnerability in the web UI feature of its IOS XE software actively being exploited by threat actors to install Remote Access Tools (RATs) and backdoor vulnerable devices exposed on the internet. The vulnerability, identified as CVE-2023-20198, enables an attacker without authentication to create a highly privileged account on the affected network device in order to gain full control and execute arbitrary commands. The Cisco IOS XE software is utilized on several of Cisco’s widely used enterprise networking devices – switches, routers, etc.
Risks of Compromise
On Tuesday, 17 October, Researchers at VulnCheck performed an internet scan and identified 10,000+ compromised Cisco IOS XE systems that had been implanted with the unidentified threat actor(s) RAT. Attackers with this type of unfettered remote access to a network device could take the following actions with associated impacts:
- monitor network traffic – eavesdropping on privileged network communications.
- inject and redirect network traffic – exposing the enterprise to man-in-the-middle attacks.
- breach protected network segments.
- utilize it as a persistent beachhead to the network as there is a lack of detection/protection solutions for these devices and they can often go overlooked during patch-cycles until a disruption to user activity is noticed.
Indicators of Compromise
Current known indicators of compromise include:
- Exploitation of CVE-2023-20198: Unexplained or newly created users on devices running IOS XE
- Threat Actor RAT: Cisco identified the following command to identify whether the unknown Threat Actor’s RAT is present on the device:
curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"
- DEVICEIP is a placeholder for the IP address of the device to check
- If the request returns a hexadecimal string, the RAT is present.
- Alternatively, use the HTTP scheme for insecure web interfaces.
Organizations are strongly advised to disable the web UI (HTTP Server) component on all internet-facing systems immediately. This can be done using the
no ip http server
no ip http secure-server
commands in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature. It’s also recommended to avoid exposing the web UI and management services to the internet or to untrusted networks.
While disabling the web UI component and limiting internet exposure reduces risk from known attack vectors, it does not mitigate the risk from RATs that might have already been deployed on vulnerable systems. It’s crucial to invoke incident response procedures to prioritize hunting for indicators of compromise as they are published.
Down the Road
Cisco has yet to release a patch for CVE-2023-20198. Additionally, Cisco observed the threat actor(s) using 2 different techniques to install the RAT once the device has been compromised:
- Exploiting CVE-2021-1435, patched in 2021
- On fully patched devices – “through an as of yet undetermined mechanism.”
The exploitation of CVE-2023-20198 underscores the critical need for robust cybersecurity measures and immediate response actions within organizations. The active exploitation of this vulnerability demonstrates the relentless efforts by malicious actors to exploit system weaknesses, making it imperative for organizations to apply immediate patches and also have a long-term, sustainable cybersecurity strategy in place. Regularly monitoring system logs for unusual activities, training staff to recognize potential threats, having an incident response plan ready, and subscribing to a routine of frequent internal and external penetration testing are some of the key steps in creating a resilient cybersecurity infrastructure.
Cisco Advisory, Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
Cisco Talos Threat Advisory, Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability
VulnCheck, Widespread Cisco IOS XE Implants in the Wild
NVD, CVE-2023-20198 Details
Cisco, Cisco IOS XE