CVE-2023-20198 – Cisco IOS Web UI Vulnerability

What Happened?

Cisco has published a security advisory tracking the active exploitation of a new zero-day vulnerability in the Cisco IOS Web UI. This flaw affects all versions of Cisco IOS with the HTTP Server feature enabled. It allows an external, unauthenticated attacker to create a new administrative user account with full administrative privileges (level 15 access). Cisco has reported that they have tracked attacks taking advantage of this vulnerability going back to at least September 18, 2023. 

How Bad is This?

The ease of exploitation and scope of this attack have earned this vulnerability a CVSS score of 10, which is the highest severity. Networking devices that are susceptible to this issue include switches, routers, and wireless LAN controllers that utilize Cisco IOS XE and that have the HTTP or HTTPS server enabled and open to the public internet. Once exploited, attackers have full access to the device and can perform any actions a fully-authenticated administrator can. This kind of access has the potential to allow an attacker to perform reconnaissance on network traffic, pivot into internal networks, and perform man-in-the-middle attacks which may also lead to compromised domain user credentials. The most common follow-on activity observed by Cisco has been the deployment of an implant that allows remote execution of malicious commands at the system or IOS level. 

What Should I Do?

Considering the CVSS score of this vulnerability and potential impact it may have on an environment, Cisco urges organizations with Cisco IOS Web UI devices exposed to the internet to immediately implement the guidance outlined in their PSIRT advisory. At this moment, there are no known workarounds nor system updates to apply to patch this vulnerability.

Cisco recommends that you take the following steps:

1. Disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, then you must use both commands to disable the HTTP Server feature.
2. If HTTP Server features cannot be disabled, Cisco recommends that you apply access lists to the HTTP Server feature to restrict access from untrusted hosts and networks. They have found this to be an effective mitigation strategy.
3. If an implant is confirmed to have been installed, you can reboot the affected device to sever that connection; however, if the attacker still has access to their created account, they can always access the device again and re-implement the implant.

How do I determine whether the HTTP Server feature is enabled? 

To determine whether the HTTP Server feature is enabled for a device, access the command line interface and run the following command:

show running-config | include ip http server | secure | active

If ip http server or ip http secure-server is returned, then the HTTP Server feature is enabled.

Look for indicators of compromise

If the HTTP Server feature was enabled on one of your devices, look for the following indicators of compromise:

• Any activity from the following IP addresses:
  • 5.149.249[.]74
  • 154.53.56[.]231
• Any unrecognized or unexplainable new local users created on the affected device.
  Note: cisco_tac_admin, cisco_support have been observed in confirmed exploitations.
• Any logins or configuration changes made by any unrecognized accounts. You can narrow down your search by reviewing %SYS-5-CONFIG_P message logs. These will be present for each instance that a user has accessed the web UI.
• Check the system logs for the following message where “filename” is an unknown filename that does not correlate with an expected file installation action:
  %WEBUI-6-INSTALL_OPERATION_INFO: User:username,vInstall Operation: ADD filename
• Check systems for implants using the following commands, where “systemip” is the IP address of the Cisco device to check, including:
  • Systems configured to use HTTPS:
    curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"
  • Systems configured to use HTTP:
    curl -k -X POST "http://systemip/webui/logoutconfirm.html?logon_hash=1"

  As indicated by Cisco, if the request returns a hexadecimal string, the implant is present.

  How Blumira Can Help

  It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment. Blumira is actively working on a detection for QueueJumper for its customers.

  Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.

  Sign up for free and connect to your Microsoft 365 environment in minutes to start detecting and mitigating exposure related to Windows vulnerabilities.