CVE-2023-20198: Actively Exploited Cisco IOS XE Zero-Day Vulnerability

On October 16th, 2023, Cisco published a security advisory on a new zero-day vulnerability found in Cisco IOS XE software [1]. CVE-2023-20198 is a critical privilege escalation vulnerability that allows unauthenticated attackers to create an account with privileged level 15 access on vulnerable devices. The vulnerability has a CVSS score of 10 (Critical) and is actively being exploited in the wild. 

In this blog, we explained the Cisco IOS XE CVE-2023-20198 vulnerability and how organizations can defend against the CVE-2023-20198 exploitation attacks.

What is Cisco IOS XE CVE-2023-20198 Elevation of Privilege Vulnerability?

Cisco IOS (Internetwork Operating System) XE is an operating system that runs on many Cisco products, such as switches, routers, access points, and wireless controllers. Among its many features, Cisco IOS XE has a built-in web-based interface that allows network administrators and engineers to manage, configure, and monitor Cisco routers and switches. On October 16th, 2023, Cisco disclosed a zero-day vulnerability in the Cisco IOS XE that is actively being exploited in the wild. CVE-2023-20198 is a privilege escalation vulnerability that allows an unauthenticated adversary to create an account and elevate its privileges to the full administrator level. CVE-2023-20198 has a CVSS score of 10 (Critical) out of 10, and it affects thousands of devices worldwide.  

Cyber threat actors are observed to exploit the CVE-2023-20198 vulnerability for initial access to target systems. After initial access, attackers exploit another vulnerability, CVE-2021-1435, to install an implant and achieve remote code execution with root privileges. Security researchers estimate that more than 40,000 Cisco devices are infected with the implant.

Figure 1: Number of compromised hosts by countries [2]

Although Cisco patched the CVE-2021-1435 vulnerability in 2021, adversaries are able to exploit it and install the implant as a backdoor to their victims' networks despite the patch. The implant is written in Lua programming language and allows adversaries to execute arbitrary commands via HTTP POST requests. Although the implant is not persistent and does not survive a reboot, adversaries may reinstall the implant using the previously created administrator account. Threat actors also delete logs and remove users to hide their activity.

Mitigating Cisco IOS XE CVE-2023-20198 Elevation of Privilege Vulnerability

Cisco released a patch for IOS XE release train 17.9 and plans to patch other ones. Organizations are advised to follow Cisco updates closely and patch their vulnerable IOS XE software as soon as possible.

If the patch is not available or applicable, there are a few mitigation measures that organizations may apply to defend themselves against CVE-2023-20198 attacks.

• Disabling the HTTP/S server feature on internet-facing systems

The vulnerability is found in the webUI feature of Cisco IOS XE software, and adversaries are observed to exploit internet-exposed vulnerable devices. Organizations are advised to disable the HTTP and HTTPS server features on public-facing physical and virtual devices until a patch is available. The following commands can be used to disable HTTP and HTTPS server features.

• Restrict access to the HTTP/S server feature

If disabling HTTP and HTTPS server features is not an option, organizations are advised to restrict access to these services to trusted networks.

• Look for unknown user accounts in Cisco IOS XE

Adversaries create a new account by exploiting CVE-2023-20198. Security teams should check the local users in affected products and identify unknown ones. Adversaries are known to create users with "cisco_tac_admin" and "cisco_support", and " cisco_sys_manager"  usernames.

• Check for the presence of the implant

Adversaries deploy an implant as a backdoor after initial compromise for arbitrary code execution. The following command can be used to detect whether the implant is present. If the implant is deployed in a compromised device, the command returns a hexadecimal string confirming that the implant is present.

The victimology shows that the CVE-2023-20198 attacks are limited to public-facing Cisco IOS XE devices with HTTP/S Server feature enabled. Since the vulnerability is actively exploited by cyber threat actors, organizations are urged to apply the suggested mitigations.

How Picus Helps Simulate Cisco IOS XE CVE-2023-20198 Attacks?

We also strongly suggest simulating Cisco IOS XE CVE-2023-20198 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, Looney Tunables, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Cisco IOS XE CVE-2023-20198 vulnerability exploitation attacks:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus The Complete Security Validation Platform.

References

[1] "Cisco Security Advisory: Cisco IOS XE Software Web UI Privilege Escalation Vulnerability," Cisco, Oct. 17, 2023. Available: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z. [Accessed: Oct. 20, 2023]

[2]E. Austin, "CVE-2023-20198 - Cisco IOS-XE ZeroDay," Censys, Oct. 18, 2023. Available: https://censys.com/cve-2023-20198-cisco-ios-xe-zeroday/. [Accessed: Oct. 20, 2023]