ESB-2023.6043.2 – UPDATED ALERT [Cisco] Cisco iOS XE Software: CVSS (Max): 10.0

October 31, 2023

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2023.6043.2
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
31 October 2023

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: Cisco iOS XE Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Mitigation
CVE Names: CVE-2023-20198

Original Bulletin:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Comment: CVSS (Max): 10.0 CVE-2023-20198 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The following are listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog:
CISA KEV CVE(s): CVE-2023-20198
CISA KEV URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Revision History: October 31 2023: Updated summary to indicate additional fixed releases and updated fixed release table
October 17 2023: Initial Release

– ————————–BEGIN INCLUDED TEXT——————–

Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature

Priority: Critical
Advisory ID: cisco-sa-iosxe-webui-privesc-j22SaA4z
First Published: 2023 October 16 15:00 GMT
Last Updated: 2023 October 30 13:14 GMT
Version 2.4: Interim
Workarounds: No workarounds available
Cisco Bug IDs: CSCwh87343
CVE Names: CVE-2023-20198 CVE-2023-20273

Summary

o Cisco is providing an update for the ongoing investigation into observed
exploitation of the web UI feature in Cisco IOS XE Software. We are
updating the list of fixed releases.

Cisco will update the advisory as additional releases post to Cisco
Software Download Center. Fix information can be found in the Fixed
Software section of this advisory.

Our investigation has determined that the actors exploited two previously
unknown issues.

The attacker first exploited CVE-2023-20198 to gain initial access and
issued a privilege 15 command to create a local user and password
combination. This allowed the user to log in with normal user access.

The attacker then exploited another component of the web UI feature,
leveraging the new local user to elevate privilege to root and write the
implant to the file system. Cisco has assigned CVE-2023-20273 to this
issue.

CVE-2023-20198 has been assigned a CVSS Score of 10.0.
CVE-2023-20273 has been assigned a CVSS Score of 7.2.

Both of these CVEs are being tracked by CSCwh87343 .

For steps to close the attack vector for these vulnerabilities, see the
Recommendations section of this advisory.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Affected Products

o Vulnerable Products

These vulnerabilities affect Cisco IOS XE Software if the web UI feature is
enabled. The web UI feature is enabled through the ip http server or ip
http secure-server commands.

Determine the HTTP Server Configuration

To determine whether the HTTP Server feature is enabled for a system, log
in to the system and use the show running-config | include ip http server|
secure|active command in the CLI to check for the presence of the ip http
server command or the ip http secure-server command in the global
configuration. If either command is present, the HTTP Server feature is
enabled for the system.

The following example shows the output of the show running-config | include
ip http server|secure|active command for a system that has the HTTP Server
feature enabled:

Router# show running-config | include ip http server|secure|active
ip http server
ip http secure-server

Note: The presence of either command or both commands in the system
configuration indicates that the web UI feature is enabled.

If the ip http server command is present and the configuration also
contains ip http active-session-modules none , these vulnerabilities are
not exploitable over HTTP.

If the ip http secure-server command is present and the configuration also
contains ip http secure-active-session-modules none , these vulnerabilities
are not exploitable over HTTPS.

Products Confirmed Not Vulnerable

Cisco has confirmed that these vulnerabilities do not affect the following
Cisco products:

Adaptive Security Appliance (ASA) Software
Firepower Threat Defense (FTD) Software
IOS Software
IOS XE Software prior to Release 16
NX-OS Software

Details

o The web UI is an embedded GUI-based system-management tool that provides
the ability to provision the system, to simplify system deployment and
manageability, and to enhance the user experience. It comes with the
default image, so there is no need to enable anything or install any
license on the system. The web UI can be used to build configurations as
well as to monitor and troubleshoot the system without CLI expertise.

Indicators of Compromise

o To determine whether a system may have been compromised, perform the
following checks:

Check the system logs for the presence of any of the following log messages
where user could be cisco_tac_admin , cisco_support or any configured,
local user that is unknown to the network administrator:

%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line

%SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023

Note : The %SYS-5-CONFIG_P message will be present for each instance that a
user has accessed the web UI. The indicator to look for is new or unknown
usernames present in the message.

Check the system logs for the following message where filename is an
unknown filename that does not correlate with an expected file installation
action:

%WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename

Cisco Talos has provided the following command to check for the presence of
the implant where systemip is the IP address of the system to check. This
command should be issued from a workstation with access to the system in
question:

curl -k -H “Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb” -X POST “https://systemip/webui/logoutconfirm.htmllogon_hash=1”

If the request returns a hexadecimal string such as 0123456789abcdef01 ,
the implant is present.

Note : The above command should be entered as a single command line.

Note : If the system is configured for HTTP access only, use the HTTP
scheme in the command example.

The following Snort rule IDs are also available to detect exploitation:

3:50118 – alerts for initial implant injection (CVE-2023-20273)
3:62527 – alerts for implant interaction
3:62528 – alerts for implant interaction
3:62529 – alerts for implant interaction
3:62541 – alerts on attempted exploitation for initial access
(CVE-2023-20198)
3:62542 – alerts on attempted exploitation for initial access
(CVE-2023-20198)

Workarounds

o There are no workarounds that address these vulnerabilities.

Disabling the HTTP Server feature eliminates the attack vector for these
vulnerabilities and may be a suitable mitigation until affected devices can
be upgraded. Administrators can disable the HTTP Server feature by using
the no ip http server or no ip http secure-server command in global
configuration mode. If both http server and http-secure server are in use,
then both commands are required to disable the HTTP Server feature.

Limiting access to the HTTP Server to trusted networks will limit exposure
to these vulnerabilities. The following example shows how to allow remote
access to the HTTP Server from the trusted 192.168.0.0/24 network:

!
ip http access-class 75
ip http secure-server
!
access-list 75 permit 192.168.0.0 0.0.0.255
access-list 75 deny any
!

Note : To apply the access list in newer versions of Cisco IOS XE Software,
use the ip http access-class ipv4 75 command for the previous example. See
Filter Traffic Destined to Cisco IOS XE Devices WebUI Using an Access List
for additional information.

While this mitigation has been deployed and was proven successful in a test
environment, customers should determine the applicability and effectiveness
in their own environment and under their own use conditions. Customers
should be aware that any workaround or mitigation that is implemented may
negatively impact the functionality or performance of their network based
on intrinsic customer deployment scenarios and limitations. Customers
should not deploy any workarounds or mitigations before first evaluating
the applicability to their own environment and any impact to such
environment.

Fixed Software

o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.

Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.

The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.

When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.

In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Customers are advised to upgrade to an appropriate fixed software release
as indicated in the following table:

Cisco IOS XE Software Release Train First Fixed Release Available
17.9 17.9.4a Yes
17.6 17.6.6a Yes
17.3 17.3.8a TBD
16.12 (Catalyst 3650 and 3850 only) 16.12.10a Yes

The SMUs in the following table address Cisco Bug ID CSCwh87343 :

Cisco IOS XE Software Release Train Base Release SMU Available
17.9 17.9.4 Yes
17.6 17.6.5 Yes

For detailed platform release information, see Software Fix Availability
for Cisco IOS XE Software Web UI Privilege Escalation Vulnerability –
CVE-2023-20198 .

The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.

Recommendations

o Cisco strongly recommends that customers disable the HTTP Server feature on
all internet-facing systems or restrict its access to trusted source
addresses. To disable the HTTP Server feature, use the no ip http server or
no ip http secure-server command in global configuration mode. If both the
HTTP server and HTTPS server are in use, both commands are required to
disable the HTTP Server feature.

The following decision tree can be used to help determine how to triage an
environment and deploy protections:

Are you running IOS XE
No . The system is not vulnerable. No further action is necessary.
Yes . Is ip http server or ip http secure-server configured
No . The vulnerabilities are not exploitable. No further action
is necessary.
Yes . Do you run services that require HTTP/HTTPS communication
(for example, eWLC)
No . Disable the HTTP Server feature.
Yes . If possible, restrict access to those services to
trusted networks.

We assess with high confidence, based on further understanding of the
exploit, that access lists applied to the HTTP Server feature to restrict
access from untrusted hosts and networks are an effective mitigation.

When implementing access controls for these services, as per the
mitigations provided, be sure to review the controls because there is the
potential for an interruption in production services. If you are unsure of
these steps, work with your support organization to determine appropriate
control measures.

After implementing any changes, use the copy running-configuration
startup-configuration command to save the running-configuration . This will
ensure that the changes are not reverted in the event of a system reload.

For additional information on the impact of disabling the HTTP Server
feature, see Cisco TAC Technical FAQs for Cisco IOS XE Software Web UI
Privilege Escalation Vulnerability – CVE-2023-20198 .

Exploitation and Public Announcements

o Cisco is aware of active exploitation of these vulnerabilities.

Source

o These vulnerabilities were found during the resolution of multiple Cisco
TAC support cases.

Cisco Security Vulnerability Policy

o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

o Subscribe

Related to This Advisory

URL

o https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Revision History

Legal Disclaimer

o THIS DOCUMENT IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO
UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.

A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZUBQrckNZI30y1K9AQgNjw/9E0pslS2sPnIRv2L7YXvyrqiEo7SnuEaB
0ad/43XhE/bDDMFR+WDegE2vpmZ7L0+l1tC7eKhybWlEh/qBMQWCHGh36F8Y0pOX
96h5zjuua/IK1ur91I8AP+DFNniv+ZtYBAxo6wIWHDuVB0KzrB5IsbwKd+yDqRyc
cDHDTdNPl7o0ETtAYcfSBd4y1Uipehh+UxWVoqvY4d6zQclNzuzFmD9jX9Cd1rfu
GAxVNomTcpW8VWdYkW26/pT4aRKYWD16m7BHauvFYddemd25nwfNdtJH0Qo4NNt/
kW838empcwApxaDPU7fH+odTbQ3OsAPvaUASdN3nD036qd4aBhcxDd6IcLzYOdMl
tcTxKAwyK2MvUbL+OO/7LierRukL9J5QGp10/Uvtlnhfxi9OF9zA5SShH0aJ7tKb
yiO6l4d0Xj9StdA2eJFx7CdsAFtjhoWXu+o1GmeUjAoIZd+WyZU685vbCB4sXtDI
UxZ8d9amXfRPlDc2VYm+Tg1UDCj2r3bNNxIrmbzad1mA4JEQwhPqNXXc2QuxZb2U
vg//NlofYBthAw2t+5he9lj8/q46T9T/8gsvPecLsCy12F/rF7Z1Srg9t6k3aGvP
AfxHAeUmu6fYhmU7civTsc9xIH6xSqwJiOTrQj97cq924UhKP3p0QCgcOYcxyhZK
tPUOCAMSq9o=
=CG/6
—–END PGP SIGNATURE—–Security BulletinsRead More