Cisco IOS XE Software Web Management User Interface vulnerabilities
Updated by Keith Kirkland
High Level Summary of the Security Advisory
Cisco Systems, Inc., is an American multinational technology giant headquartered in San Jose, California. Cisco deals with the development, manufacturing, and sales of networking hardware, software, telecommunications equipment, and other high-technology services and products. A major player in the cloud computing market that offers a variety of cloud-based services, such as infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Cisco is also a major player in the Internet of Things (IoT) market. The company offers a variety of IoT products and services, such as sensors, gateways, and data analytics software.
On October 16, 2023, Cisco Systems, Inc. issued a threat advisory on its Cisco Talos website, confirming the identification of an active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software. The vulnerability is tracked as CVE-2023-20198.
Cisco discovered early evidence of this threat on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Cisco’s investigation revealed that a similar related activity was determined as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin
from a suspicious IP address on a customer device. Instances of this activity ended on October 1.
On October 12, 2023, Cisco Talos Incident Response (Talos IR) and TAC detected an additional cluster of related activity. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support
from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf
) which resulted in the new user accounts having level 15 privileges, which subsequently meant that they could have full administrator access to the device. A complete description of the incident could be found on the threat advisory issued by Cisco Talos.
On October 20th, as updated on the advisory, Cisco Talos identified an additional vulnerability, CVE-2023-20273, which affects another component of the Web UI feature, to install the implant. The CVE-2023-20198 vulnerability received the highest Common Vulnerability Scoring System (CVSS) score (10/critical), whereas CVE-2023-20273 has a CVSS score of 7.2 (high).
Should I be concerned?
Maybe. It depends on if you have a relationship with Cisco Systems, Inc. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.
Note: this link specifically references vendor directory records. You may also want to search your Relationship List for "Cisco” to confirm.
What to do if you or your vendors have an active relationship with Cisco
As per the Cisco Talos advisory, the vulnerabilities affect Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.
To determine whether the HTTP Server feature is enabled for your system, log in to the system and use the show running-config | include ip http server|secure|active
command in the CLI to check for the presence of the ip http server
command or the ip http secure-server
command in the global configuration. If either command is present, the HTTP Server feature is enabled for the system.
The following example shows the output of the show running-config | include ip http server|secure|active
command for a system that has the HTTP Server feature enabled:
Router# show running-config | include ip http server|secure|active
ip http server
ip http secure-server
Note: The presence of either command or both commands in the system configuration indicates that the web UI feature is enabled.
If the ip http server
command is present and the configuration also contains ip http active-session-modules none
, these vulnerabilities are not exploitable over HTTP.
If the ip http secure-server
command is present and the configuration also contains ip http secure-active-session-modules none
, these vulnerabilities are not exploitable over HTTPS.
For learning the indicators of a compromise, please follow the provided link - Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Recommendations By Cisco Systems, Inc.
If it is confirmed that your Cisco IOS XE Software web UI feature is enabled through the ip http server or ip http secure-server
commands and the indicators of a compromise look strong, please follow the steps as recommended by Cisco:
- Cisco strongly recommends disabling the HTTP Server feature on all internet-facing systems or restricting its access to trusted source addresses. To disable the HTTP Server feature, use the
no ip http server
orno ip http secure-server
command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
The following decision tree can be used to help determine how to triage an environment and deploy protections: - Are you running IOS XE?
- No. The system is not vulnerable. No further action is necessary.
- Yes.
- Is
ip http server
orip http secure-server
configured?- No. The vulnerabilities are not exploitable. No further action is necessary.
- Yes
- Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
- No. Disable the HTTP Server feature.
- Yes. If possible, restrict access to those services to trusted networks.
- Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
- Is
- Based on further understanding of the exploit by Cisco, it was also understood that access lists applied to the HTTP Server feature to restrict access from untrusted hosts and networks are an effective mitigation.
When implementing access controls for these services, as per the mitigations provided, Cisco recommends its users to review the controls as there is the potential for an interruption in production services. If you are unsure of these steps, work with your support organization to determine appropriate control measures. - After implementing any changes, Cisco recommends using the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the changes are not reverted in the event of a system reload.
---------------------------------------------------------------------------
We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback, please let us know at product@visotrust.com.
For any additional questions, please reach out to your customer success manager.
Stay ahead of the curve with our Public Risk Notice Alerts!
Get the latest information and news to your inbox on cybersecurity breaches and third-party vendor risks that could impact your organization.
Sign up today to fortify your organization's security.
The VISO Trust team
—----------—----------—-----