On October 16th, the Cisco Talos Intelligence group alerted about a previously unknown vulnerability impacting the Web User Interface (Web UI) functionality within Cisco IOS XE software (CVE-2023-20198). This vulnerability poses a risk when the software is exposed to the internet or untrusted networks. Devices, whether physical or virtual, running Cisco IOS XE software and having the HTTP or HTTPS Server feature enabled are susceptible to this issue.
This vulnerability grants malicious actors the ability to take full control of the compromised device, allowing them to establish a level 15 access account endowed with administrative privileges.
Approximately 144,000 devices worldwide were indexed by Shodan, revealing an exposed IOS XE web portal and an increased risk of potential compromise.
Background
On September 28, 2023, suspicious activity was detected on a customer device, later reported to Cisco’s Technical Assistance Center (TAC). According to the Talos Blog, investigations revealed this activity dated back to September 18, involving the creation of a dubious local user account named “cisco_tac_admin” from IP address 5.149.249[.]74. This ceased by October 1, showing no further concerning actions.
On October 12, Talos IR and TAC identified a new cluster of related activity starting on that day. An unauthorized user created another suspect local user account as “cisco_support” from IP address 154.53.56[.]231.
In contrast to the September incident, this October activity involved additional actions, including implant deployment through a configuration file (“cisco_service.conf”). The configuration file defined a new web server endpoint facilitating interaction with the implant, allowing execution of arbitrary commands at the system or IOS level. Activation required a server restart, which didn’t occur in at least one observed case, preventing the implant from becoming active despite installation.
The implant is stored in the file path “/usr/binos/conf/nginx-conf/cisco_service.conf,” consisting of two variable strings represented in hexadecimal characters. Notably, the implant lacks persistence; a device reboot will eliminate it. However, the local user accounts generated during the breach remain active even after system reboots.
What We Know
Currently, there is no patch available for the vulnerability. However, Cisco has shared comprehensive information regarding indicators of compromise and recommended mitigation strategies for this vulnerability on their blog.
Based on the technical details, the execution of this command allows for determining the presence of the implant and the imminent compromise of the infrastructure:
curl -k -X POST “https://systemip/webui/logoutconfirm.html?logon_hash=1”
If the request returns a hexadecimal string, the implant is present.
Recommendations
- Apply the Triage decision flow provided by Cisco to know if your infrastructure is exposed to this vulnerability:
- Are you running IOS XE?
- No. The system is not vulnerable. No further action is necessary.
- Yes. Is the IP http server or IP http secure-server configured?
- No. The vulnerability is not exploitable. No further action is necessary.
- Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
- No. Disable the HTTP Server feature.
- Yes. If possible, restrict access to those services to trusted networks.
- If necessary, Immediately execute the steps in the technical guide to mitigate the risk of compromise according to the Cisco Blog.
- Consult the Compromise Indicators guide provided by Cisco to look for possible compromises in your system.
- Stay alert for new updates on workarounds and updates provided by Cisco to address the issue.
- If you’re using Lumu, we provide the ability to monitor your network and alert any malicious contacts or potential compromise that may arise.