Pierluigi Paganini October 31, 2023

Researchers publicly released the exploit code for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198.

Researchers from Researchers at Horizon3.ai publicly released the exploit code for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198.

Cisco recently warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. The IT giant found the vulnerability during the resolution of multiple Technical Assistance Center (TAC) support cases.

Threat actors have exploited the recently disclosed critical zero-day vulnerability (CVE-2023-20198) to compromise thousands of Cisco IOS XE devices, security firm VulnCheck warned.

The vulnerability can be exploited by an attacker to gain administrator privileges and take over vulnerable routers.

The advisory published by the vendor states that the exploitation of the vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.

“Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks.” reads the advisory published by the company. “This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.”

The flaw affects physical and virtual devices running with the Web User Interface (Web UI) feature enabled and that have the HTTP or HTTPS Server feature in use.

The company urges administrators to check the system logs for the presence of any of the following log messages where the user could be cisco_tac_admin, cisco_support, or any configured, local user that is unknown to the network.

Cisco recommends admins to disable the HTTP server feature on systems exposed on the Internet.

“Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.” concludes the advisory that also includes Indicators of Compromise (IoCs).”After disabling the HTTP Server feature, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the HTTP Server feature is not unexpectedly enabled in the event of a system reload.”

VulnCheck researchers observed that the vulnerability was exploited in a large-scale hacking campaign targeting Cisco IOS XE routers and switches. The security firm developed and released a scanner used to find systems infected with implants that are exposed on the internet.

“Cisco buried the lede by not mentioning thousands of internet-facing IOS XE systems have been implanted. VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts.” reads the post published by VulnCheck. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.”

The researchers urge organizations to use an IOS XE system to determine if their systems have been compromised.

Cybersecurity firm GreyNoise also identified malicious activity related to the exploitation of the above issue.

Researchers at Horizon3.ai published technical details about the vulnerability along with the PoC exploit code.

“[the PoC code] is an example request that bypasses authentication on vulnerable instances of IOS-XE. This POC creates a user named ‘baduser’ with privilege level 15. Let’s dig into the details.”

The researchers pointed out that they analyzed the vulnerability by analyzing the data gathered from a honeypot set up by the SECUINFRA FALCON TEAM.

Cisco has released updates to address the vulnerability security.

Customers are urged to upgrade to an appropriate fixed software release as indicated in the following table:

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISCO)