CVE-2023-20198: The menace of a security device

Oct 18, 2023
James McGill
CVE-2023-20198: The menace of a security device

Imagine that your firewall has a point of entry for hackers. Now you don't need to imagine as this is a chilling reality of today's complex digital world. The device that's destined to protect your company, that holds un-checked authority over your entire network can now be compromised by outside actors.

The Cisco IOS XE Software Web UI Privilege Escalation Vulnerability is a critical issue with a CVSS score of 10.0. It's actively exploited, allowing unauthenticated remote attackers to create privileged accounts and gain control over affected systems. There are no available workarounds, but Cisco recommends disabling the HTTP Server feature on internet-facing systems to mitigate the risk​.

On October 16, 2023, Cisco became aware of active exploitation of this previously unknown vulnerability when exposed to untrusted networks or the internet. The flaw allows remote, unauthenticated attackers to create an account with privilege level 15 access on the affected system, thereby gaining full control.

The vulnerability comes into play if the Web UI feature is enabled, which is done through certain commands. Once enabled, the system is left wide open for exploitation unless certain configurations are in place to neutralize the threat.

Despite the grave danger it poses, there are no workarounds to address this vulnerability. However, Cisco has advised customers to disable the HTTP Server feature on all internet-facing systems as a preventive measure.

Examining system logs for unfamiliar usernames or unknown filenames, alongside monitoring for specific log messages, can serve as indicators of compromise. Moreover, Cisco Talos provides commands to check for the presence of an implant which is a residue of exploitation.

Exploitation Steps

Attackers initiate an HTTP POST request to the target device with the LUA code containing 3 functions that allow attackers arbitrary code execution on IOS device.

  1. The first function, dictated by the “menu” parameter, returns a string of numbers, potentially representing the implant's version or installation date.

  2. The second function, controlled by the “logon_hash” parameter set to “1,” returns an 18-character hexadecimal string hardcoded into the implant.

  3. The third function, also dictated by the “logon_hash” parameter, checks for a match with a 40-character hexadecimal string hardcoded into the implant.

The “common_type” parameter, set to either “subsystem” or “iox,” determines the execution level—system or IOS—of the code.

CVE Details

CVE-2023-20198 involves a severe flaw in the Web UI feature of Cisco IOS XE Software. When exposed to untrusted networks or the internet, it permits a remote, unauthenticated attacker to create a privileged account, thus gaining control over the system.

Remediation Steps

Cisco recommends disabling the HTTP Server feature on internet-facing systems to mitigate the risk. Specifically, executing the
no ip http server
or
no ip http secure-server
command in global configuration mode. If both HTTP and HTTPS servers are in use, both commands are required to disable the HTTP Server feature​​.

Sources

Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability (talosintelligence.com)

Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

Cracking Containers: Understanding CVE-2024-21626 in runc
Cracking Containers: Understanding CVE-2024-21626 in runc
2024-02-18
James McGill
Unraveling Arbitrary Code Execution in Apache Commons Text (CVE-2022-42889) with PoC
Unraveling Arbitrary Code Execution in Apache Commons Text (CVE-2022-42889) with PoC
2024-01-13
James McGill
CVE-2023-32315: Understanding the Openfire Admin Console Path Traversal Vulnerability
CVE-2023-32315: Understanding the Openfire Admin Console Path Traversal Vulnerability
2024-02-07
James McGill
CVE-2024-23897: A Critical RCE Vulnerability in Jenkins
CVE-2024-23897: A Critical RCE Vulnerability in Jenkins
2024-01-29
James McGill
Demystifying CVE-2021-4034: Unpacking the Polkit pkexec RCE Vulnerability
Demystifying CVE-2021-4034: Unpacking the Polkit pkexec RCE Vulnerability
2024-01-21
James McGill
Decoding SaltStack Salt's Vulnerability: A Deep Dive into CVE-2020-11651
Decoding SaltStack Salt's Vulnerability: A Deep Dive into CVE-2020-11651
2024-01-21
James McGill