Technical

Cisco IOS XE Web UI Vulnerability: Critical Advisory & Immediate Mitigation Steps

Table of Contents

On October 16th, the Cisco Talos Intelligence group alerted about a previously unknown vulnerability impacting the Web User Interface (Web UI) functionality within Cisco IOS XE software (CVE-2023-20198). This vulnerability poses a risk when the software is exposed to the internet or untrusted networks. Devices, whether physical or virtual, running Cisco IOS XE software and having the HTTP or HTTPS Server feature enabled are susceptible to this issue.

This vulnerability grants malicious actors the ability to take full control of the compromised device, allowing them to establish a level 15 access account endowed with administrative privileges.

Approximately 144,000 devices worldwide were indexed by Shodan, revealing an exposed IOS XE web portal and an increased risk of potential compromise.

Exposed vulnerable Cisco IOS XE Web UI instances instances according to Shodan

Background

On September 28, 2023, suspicious activity was detected on a customer device, later reported to Cisco’s Technical Assistance Center (TAC). According to the Talos Blog, investigations revealed this activity dated back to September 18, involving the creation of a dubious local user account named “cisco_tac_admin” from IP address 5.149.249[.]74. This ceased by October 1, showing no further concerning actions. 

On October 12, Talos IR and TAC identified a new cluster of related activity starting on that day. An unauthorized user created another suspect local user account as “cisco_support” from IP address 154.53.56[.]231. 

In contrast to the September incident, this October activity involved additional actions, including implant deployment through a configuration file (“cisco_service.conf”). The configuration file defined a new web server endpoint facilitating interaction with the implant, allowing execution of arbitrary commands at the system or IOS level. Activation required a server restart, which didn’t occur in at least one observed case, preventing the implant from becoming active despite installation.

The implant is stored in the file path “/usr/binos/conf/nginx-conf/cisco_service.conf,” consisting of two variable strings represented in hexadecimal characters. Notably, the implant lacks persistence; a device reboot will eliminate it. However, the local user accounts generated during the breach remain active even after system reboots.

What We Know

Currently, there is no patch available for the vulnerability. However, Cisco has shared comprehensive information regarding indicators of compromise and recommended mitigation strategies for this vulnerability on their blog.

Based on the technical details, the execution of this command allows for determining the presence of the implant and the imminent compromise of the infrastructure:

curl -k -X POST “https://systemip/webui/logoutconfirm.html?logon_hash=1”

If the request returns a hexadecimal string, the implant is present.

Recommendations

  • Apply the Triage decision flow provided by Cisco to know if your infrastructure is exposed to this vulnerability:
    • Are you running IOS XE?
    • No. The system is not vulnerable. No further action is necessary.
    • Yes. Is the IP http server or IP http secure-server configured?
      • No. The vulnerability is not exploitable. No further action is necessary.
      • Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
        • No. Disable the HTTP Server feature.
        • Yes. If possible, restrict access to those services to trusted networks.
  • If necessary, Immediately execute the steps in the technical guide to mitigate the risk of compromise according to the Cisco Blog.
  • Consult the Compromise Indicators guide provided by Cisco to look for possible compromises in your system.
  • Stay alert for new updates on workarounds and updates provided by Cisco to address the issue.
  • If you’re using Lumu, we provide the ability to monitor your network and alert any malicious contacts or potential compromise that may arise.

Recent Posts

  • Blog

Lumu & the MSP Community: 2024 in Review

Reading Time: 4 minsLumu has worked hand-in-hand with MSPs throughout a year that consolidated the…

4 days ago
  • Blog

Reflecting on 2024: Lumu’s Innovations in SecOps

Reading Time: 5 minsLumu’s 2024 SecOps advancements focus on automation and smarter threat detection, with…

6 days ago
  • Attacks

Lumu’s Detection & Response to a Real-World DNS Tunneling Attack

Reading Time: 7 minsThis is the story of a serious DNS tunneling attack on a…

1 week ago
  • Events

Cybersecurity Insights for MSPs: Lessons from IT Nation Connect 2024

Reading Time: 4 minsDiscover the top insights from Lumu’s pre-conference workshop at IT Nation Connect,…

4 weeks ago
  • Stories

Cybersecurity Trends 2025 and Beyond: Navigating AI-Driven Evasion Techniques and Autonomous Threats for Resilient Defense

Reading Time: 2 minsAs we move into 2025, AI-driven evasion and autonomous threats will redefine…

1 month ago
  • Trends

CISA Reveals How 12 Ransomware Gangs are Bypassing EDRs

Reading Time: 7 minsEndpoint Detection and Response (EDR) has a critical role in most companies’…

2 months ago