Vulnerability Alert: CVE-2023-20198 CISCO IOS XE Software Vulnerability
Wednesday 18th October 2023
SITUATION UPDATE 27/11:
SecurityHQ team has already published advisory regarding CVE-2023-20198 on 17 October 2023, This advisory should be considered as addendum to previous advisory.
Cisco has mentioned that attackers have exploited two unknown vulnerabilities.
1) Attackers have seen first exploiting CVE-2023-20198 to gain initial access and issuing level 15 command to create a local user which is used for login to vulnerable device.
2) Later attackers are exploiting another vulnerability (CVE-2023-20273) in WebUI feature to elevate the newly created normal user privileges to root.
In order to be vulnerable to this attack your Cisco IOS XE Software should have the web UI feature enabled.
At the moment, the first fixed release available is 17.9.4a, with updates to roll out at a yet undisclosed date.
RECOMMENDATION:
• It is recommended to update the affected product to their latest available versions/patch level.
• Disable Web UI if not required from affected product.
• Disable HTTP server feature on all internet facing systems.
• It is recommended to not expose Web UI and management services internet.
---------------------------------------
SUMMARY:
Through the vulnerability, hackers can create an account on the affected device and gain full control of it. Cisco disclosed the vulnerability on the 17th October. The vulnerability was found during the resolution of multiple Cisco Technical Assistance Centre support cases where customers were hacked. The first situation was discovered on 28th September. Following an investigation, Cisco researchers said it found activity related to the bug dating back to 18th September.
The attackers also used another vulnerability, CVE-2021-1435, to install an implant on the compromised devices. CVE-2021-1435 is a command injection vulnerability in the web UI of Cisco IOS XE Software that was patched by Cisco in March 2021. However, Cisco Talos observed that some devices that were fully patched against CVE-2021-1435 were still infected by the implant. The implant allows the attackers to execute arbitrary commands as root and communicate with a command-and-control server.
SEVERITY:
CVSS score 10
ANALYST ASSESSMENT:
The vulnerability carries the highest possible severity CVSS score of 10, as it can grant an attacker full administrator privileges, allowing them to effectively take full control of the affected router and allowing possible subsequent authorised activity.
It is assessed as highly likely that the same threat actor has been attacking this vulnerability. This is because both attacks appeared close together, with the September activity leading to the October activity. It is likely the first cluster was the actor’s initial attempt at testing their code, while the October activity was likely the actor expanding their operation to include establishing persistent access via deployment of the implant.
OBSERVATION:
Through the vulnerability, hackers can create an account on the affected device and gain full control of it. The vulnerability was found during the resolution of multiple Cisco Technical Assistance Centre support cases where customers were hacked. The first situation was discovered on 28th September. Following an investigation, Cisco researchers said it found activity related to the bug dating back to 18th September.
The attackers also used another vulnerability, CVE-2021-1435, to install an implant on the compromised devices. CVE-2021-1435 is a command injection vulnerability in the web UI of Cisco IOS XE Software that was patched by Cisco in March 2021. However, Cisco Talos observed that some devices that were fully patched against CVE-2021-1435 were still infected by the implant. The implant allows the attackers to execute arbitrary commands as root and communicate with a command-and-control server.
ISSUE CORRECTION:
Cisco has not released a software patch, or workaround, for CVE-2023-20198, but has provided some recommendations to narrow the attack vector until a patch is available. These include:
1.Di sabling the web UI feature if it is not needed.
2. Applying access control lists (ACLs) to restrict access to the web UI feature.
3. Using firewall rules to block access to the web UI feature from untrusted sources.
4. Monitoring network logs for any suspicious activity.
5. As always, administrators need detailed information on their systems in cases like this where there is no current available patch.
6. Users of products with the software should be on the lookout for ‘unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat.’
CAVEAT:
This is based on current, limited knowledge, which should be further investigated and checked, before being applied to your systems.
SOURCES:
Cisco: Hackers targeting zero-day found in internet-exposed routers (therecord.media)
Cisco Releases Security Advisory for IOS XE Software Web UI | CISA
------------------------
ANNEX 1:
The Probability Yardstick
To quantify language, we use the Probability Yardstick, from the Professional Head of Intelligence Assessment. It is a tool used by the UK Government to standardise the way we describe probability and has been used to ensure consistency across the different thematic areas and threats when providing assessments on how likely something is to occur. The yardstick is included for clarity.
Source Evaluation:
We also assess our sources using the below matrix, but rarely disclose our source, to protect the integrity of the source. We assess sources on how reliable they are, how they accessed the intelligence, and we then decide if this intelligence can be shared. The table shown to the illustrates this.
Confidence Levels:
|
High Confidence |
High confidence generally indicates judgements based on high-quality information, and/or the nature of the issue makes it possible to render a solid judgment. A “high confidence” judgment is not a fact or a certainty, however, and still carries a risk of being wrong. |
|
Moderate Confidence |
Moderate confidence generally means credibly sourced and plausible information, but not of sufficient quality or corroboration to warrant a higher level of confidence |
|
Low Confidence |
Low confidence generally means questionable or implausible information was used, the information is too fragmented or poorly corroborated to make solid analytic inferences, or significant concerns or problems with sources existed |
If you have any questions relating to the above, please reach out to your dedicated Bytes Account Manager, or email [email protected] / [email protected].
Want to keep informed? Sign up to our Newsletter