Cisco IOS XE zero-day exploited by attackers to deliver implant (CVE-2023-20198)

A previously unknown vulnerability (CVE-2023-20198) affecting networking devices running Cisco IOS XE software is being exploited by a threat actor to take control of the devices and install an implant, Cisco Talos researchers have warned today.

About CVE-2023-20198

CVE-2023-20198 is a privilege escalation vulnerability in the web UI feature of Cisco IOS XE software, which is installed on various Cisco controllers, switches, edge, branch and virtual routers.

The web UI is an embedded GUI-based tool that can be used to provision, monitor and troubleshoot the system, build configurations, simplify system deployment and manageability, and enhance the user experience. It is not supposed to be exposed to the internet or to untrusted networks.

Additional details about the vulnerability haven’t been disclosed, but it’s known that it allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, i.e., the highest possible level of access that can run all commands and can make configuration changes.

The flaw affects both physical and virtual devices running Cisco IOS XE software, and is exploitable only if the web UI is enabled.

The attacks

In multiple attacks analyzed by Cisco’s threat analysts, the (presumably same) threat actor exploited CVE-2023-20198 to create a local user account and exploited an old command injection flaw in the web UI (CVE-2021-1435) to install the implant.

In the first attack, likely started on September 18, the attacker limited themselves to creating a local user account under the username “cisco_tac_admin”. In a later one, started on October 12, the attacker created a local user account under the username “cisco_support” and then proceeded to deploy a configuration file (“cisco_service.conf”) that serves as an implant.

“The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters (…) that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed,” Cisco’s researchers explained.

The implant isn’t capable of persisting after a reboot, but the local user accounts created by the attacker do. According to Cisco, the implant “facilitates” arbitrary command execution.

There’s also an interesting tidbit shared by the researchers: Though a patch for CVE-2021-1435 has been provided back in 2021 and hopefully implemented by many, they “have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as of yet undetermined mechanism.”

What to do?

Cisco is working on a patch for CVE-2023-20198, but in the meantime they advise admins to disable the HTTP Server feature (i.e., the web UI) on all internet-facing systems running Cisco IOS XE software.

Instructions of how to do it are provided in this security advisory, along with known indicators of compromise security teams can check for and Snort rules they can use.

“After disabling the HTTP Server feature, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the HTTP Server feature is not unexpectedly enabled in the event of a system reload,” the company stressed.

UPDATE (October 17, 2023, 09:55 a.m. ET):

VulnCheck CTO Jacob Baines says they have scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts.

“This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks,” he noted. The company has also released the scanner they used to find these systems on the internet.

Cisco is still working on the patch, but has updated the advisory with an additional mitigation option and a clearer decision tree organizations can use to determine which devices are affected and how to deploy protections on those that are.

Censys says that 34,140 devices appear to have the backdoor installed, and that judging by the autonomous systems that house thesem, “the primary targets of this vulnerability are not large corporations but smaller entities and individuals who are more susceptible.”

UPDATE (October 18, 2023, 03:55 a.m. ET):

Censys says that 34,140 devices appear to have the backdoor installed, and that judging by the autonomous systems that house these, “the primary targets of this vulnerability are not large corporations but smaller entities and individuals who are more susceptible.”

Rapid7 has shared attacker behavior and IOCs observed by its incident responders.

UPDATE (October 20, 2023, 07:00 a.m. ET):

CERT Orange has released a Python script that organizations can use to discover the malicious implant on Cisco network devices.

UPDATE: October 23, 06:13 a.m. ET

Cisco has released the first fixes for CVE-2023-20198. The number of the implants has plummeted.

UPDATE: October 31, 06:30 a.m. ET

A PoC exploit for CVE-2023-20198 has been published. Cisco has rolled out most of the fixed releases.