AttackerKBAKB:972237DB-4682-4F2F-B23F-881304A34326CVE-2023-20198
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
0.853 High
EPSS
Percentile
98.6%
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
Recent assessments:
cbeek-r7 at October 17, 2023 6:12am UTC reported:
Cisco has detected ongoing exploitation of an undisclosed vulnerability within the web user interface (UI) component of Cisco IOS XE Software, particularly when it is accessible via the internet or untrusted networks. This vulnerability permits an external, unauthenticated malicious actor to establish an account on a compromised system with full privilege level 15 access. This unauthorized account can subsequently be leveraged to assume control over the compromised system.
This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.
To assess whether a system might have been infiltrated, carry out the following verifications:
Examine the system logs for indications of the following log messages, with βuserβ referring to any entities such as βcisco_tac_admin,β βcisco_support,β or any locally configured user that remains unfamiliar to the network administrator. Cisco has published more details of possible indicators of compromise in their advisory: <https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z>.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4
References
packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html
arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20198
github.com/Atea-Redteam/CVE-2023-20198
github.com/fox-it/cisco-ios-xe-implant-detection
github.com/Shadow0ps/CVE-2023-20198-Scanner
github.com/smokeintheshell/CVE-2023-20198
github.com/W01fh4cker/CVE-2023-20198-RCE
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities
www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit
Related
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
0.853 High
EPSS
Percentile
98.6%