Skip to content
arrow-alt-circle-up icon

Cyber Incident Call

arrow-alt-circle-up icon

00800 1744 0000

arrow-alt-circle-up icon

See all Threat Responses

Date: 16-10-2023

On Monday 16 October 2023, Cisco warned of a high-severity authentication bypass zero-day vulnerability affecting a wide range of products. The vulnerability allows a remote, unauthenticated actor to create privileged accounts on vulnerable systems, which can then be used to gain control of the affected system. [1] The vulnerability affects devices running Cisco IOS XE Software on which the web UI feature is enabled. 

We recommend disabling the vulnerable web UI feature on all affected devices until Cisco releases a patch for this vulnerability.

Description

The vulnerability tracked as CVE-2023-20198 [1] is an authentication bypass in the web UI feature of Cisco IOS XE. Cisco IOS XE is a software used in a wide range of Cisco networking devices, including routers and switches. [2] The vulnerability concerns Cisco IOS XE software on which the web UI feature enabled. The products susceptible to this vulnerability (that are supported by Cisco IOS XE) are as follows [3]:

Enterprise switches

  • Catalyst 9000 family

Wireless controllers

  • Catalyst 9800 Series

Access points

  • Catalyst 9100 Series

Aggregation routers

  • ASR 1000 Series

  • ASR 900 Series

  • NCS 4200 Series

Branch routers

  • Catalyst 8000 Edge Platforms

  • ISR 4000 Series

  • ISR 1000 Series

Industrial routers

  • IR1100 Rugged Series

  • IR1800 Rugged Series

  • IR8100 Heavy Duty Series

  • IR8300 Rugged Series

Virtual Routing

  • Catalyst 8000V Edge

  • CSR1000v

Converged broadband routers

  • CBR Series

 

Impact

We determine the impact of these vulnerabilities to be HIGH.

The identified vulnerability permits remote, unauthenticated attackers to establish an unauthorised account on the targeted system with elevated privileges. The compromised account can subsequently gain full control over the affected system, potentially disabling security features such as firewall rules or network segmentation. This in turn could lead to severe consequences such as sensitive data exfiltration and the deployment of ransomware.

Risk

We determine the risk of these vulnerabilities to be HIGH due to the widespread use of Cisco IOS XE and the susceptibility for exploitation with an enabled web UI feature. The primary risks associated with these vulnerabilities are related to privilege escalation, unauthorised access to your environment, and sensitive data exfiltration.

At the time of writing, active exploitation of CVE-2023-20198 (Web UI Privilege Escalation Vulnerability) has been observed by Cisco. [4]

 

Mitigation

At the time of writing, Cisco has not released any patches that address this vulnerability. Northwave recommends for users of products that use Cisco IOS XE to disable the HTTP Server feature.

To disable the vulnerable HTTP Server feature, use the following commands in global configuration mode:

no ip http server
no ip http secure-server

If both HTTP and HTTPS servers are in use, both commands are required to disabled the feature.

We recommend to also write these changes back to the startup configuration to make sure that the changes also take effect when the switch reboots.

 

What should you do

We recommend customers using the above mentioned products that use Cisco IOS XE to disable the HTTP Server feature as soon as possible. If you run critical services that strictly require HTTP/HTTPS communication, restrict access to those services to trusted networks.

The following command can be used to check whether the HTTP Server feature is enabled on a device:

show running-config | include ip http server|secure|active
ip http server
ip http secure-server

If found that the HTTP Server feature is enabled, we recommend to disable the feature as described in the Mitigation section above. Afterwards, please refer to the instructions shared by Cisco in [4] to check for known indicators of compromise.

Note: The checks regarding usernames may not be completely reliable, as attackers would be able to use any username from different IPs. If the checks regarding the implants come back positive, it is likely that the device is compromised.

Northwave also recommends to continuously monitor Cisco's official channels for updates and advisories related to this vulnerability. Cisco is actively working on a patch to address this issue, and they are expected to release it in the near future.

 

What will Northwave do?

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.

 

E-mail: soc@northwave.nl Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000

 

Disclaimer applies, see below.

 

Sources

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-20198

[2] https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xe/index.html

[3] https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xe/index.html#~products

[4]https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

[5] https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/

 

 

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.