Versa Security Bulletin: Cisco IOS XE Web UI Privilege Escalation Vulnerability affecting upwards of 50k devices (patched)

By Jayesh Gangadas Patel
Senior Threat Analyst, Versa Networks
October 26, 2023

Summary

On October 16, 2023, Cisco reported two new vulnerabilities in the web UI for its Cisco IOS XE operating system that runs many of its routers and switches, CVE-2023-20198 and CVE-2023-20273. These vulnerabilities were initially being exploited by unknown hackers and affected more than 10,000 devices at the time of its first known existence. However, in the following days the attack was leveraged to affect more than 50,000 devices, and that’s when a free software fix was identified by Cisco to keep a check on devices. Cisco released the updated version 17.9.4a on October 23 to fix the issue. The software is available for download from Cisco’s Software Download Center.

Details of the Vulnerability

Both vulnerabilities affect IOS XE Software and largely exploit the Web UI of Cisco Devices. The CVE-2023-20198 received maximum severity rating (10/10) while CVE-2023-20273 has been assigned a high severity rating of 7.2.

As per Cisco, attackers gained initial access to devices by exploiting CVE-2023-20198 and creating an implant. An implant is malicious code or script that can be installed on a device to execute arbitrary commands or gain unauthorized access. After exploiting CVE-2023-20273, the implant user is granted the highest privilege to issue level 15 commands. On Cisco devices, privileges are classified on a scale of 0 to 15, with 0 being the lowest level and 15 granting administrator level privileges. With this highest privilege level, the adversary can practically do anything to cause harm to the network or plant any script (such as a backdoor, or malicious code) to periodically monitor and use the device entry point to further escalate the attack scope. However, the implant doesn’t persist when the system is rebooted. Cisco has not provided guidance whether any devices are implanted with script or code that could persist.

Recommendations

Cisco recommends that the administrator checks if the access to Web UI is active by issuing the appropriate Cisco-issued command. If found active, the vendor advises to limit access to the interface or render it inactive if possible.

Versa Networks Protections for Cisco IOS XE Web UI Privilege Escalation Vulnerability

Versa Networks customers can receive protection from the Cisco IOS XE Web UI Vulnerability in the following ways:

• Versa Networks has identified the issues and released NIDS (Network IDS) signature to detect and block any attempt to create an implant (i.e., malware or malicious code/script) on the Cisco device in our latest offering of security package version 2098 (Version 2023-10-23.2098). We have also identified and blacklisted the original source IP addresses from which attempts to exploit were made. The signature is part of the Versa Networks recommended vulnerability profile and customers will automatically get protection. Versa recommends that customers running a custom vulnerability profile select and activate the signature to get protection. Customers can visit our Support Center to obtain more information on security package version 2098 and follow the forum.

• Versa Next Generation Firewall with advanced Intrusion Detection and Protection (IDS/IPS) capabilities and security packages (SPacks) detects and blocks the implant and associated C&C activity before it can get to the vulnerable Cisco devices southbound. Learn more about the Versa Next Generation Firewall.

• Versa Secure SD-WAN delivers network-based intrusion detection and prevention via Versa Operating System VOS™. The integrated IDS/IPS capabilities block the implant from being created and exploiting the vulnerability. Learn more about Versa’s Secure SD-WAN.

References

[1] https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/

[2] https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities