Alert sounded over dangerous Cisco IOS XE zero-day

Cisco has warned users around the world after observing ongoing exploitation of a newly discovered zero-day in the web user interface (UI) feature of its IOS XE software when inadvertently exposed to the public internet or untrusted networks.

Tracked as CVE-2023-20198, the issue enables a remote, unauthenticated attacker to set up an account on a vulnerable system with the highest possible privileges, that they can then use to gain control of the affected systems.

Affected customers will all have enabled the web UI feature through the ip http server or ip http secure-server commands, and can determine whether or not this is the case by following the instructions laid out in Cisco’s advisory, which can be found here. This also details various indicators of compromise (IoCs) that defenders can examine to determine whether or not they have been hit.

“Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature,” said Cisco.

Cisco is also recommending defenders restrict access controls for the service, but prior to doing so should be sure to review them thoroughly less they cause a wider service interruption.

The vulnerable web UI feature is an embedded, GUI-based system management tool that is designed to enable tech teams to provision systems, simplify deployment and manageability, and enhance overall user experience. It can also be used to build configurations and monitor and troubleshoot systems without command line interface (CLI) expertise, but should never be exposed to the internet or an untrusted network.

Computer Weekly understands Cisco is working on a patch for the vulnerability, which may impact a great many users. Mayuresh Dani, manager of threat research at Qualys, said: “Cisco has not provided the list of devices affected, which means that any switch, router or WLC running IOS XE and has the web UI exposed to the internet is vulnerable.

“Based on my searches using Shodan, there are about 40,000 Cisco devices that have web UI exposed to the internet. A majority of those are listening on port 80.”

The research team at Cisco Talos, together with Cisco’s Technical Assistance Centre (TAC), first got wise to the issue on 28 September, and after further investigation found that CVE-2023-20198 may have been exploited on vulnerable systems up to 10 days prior to that.

In this instance, an authorised user created a local user account under a the user name ‘cisco_tac_admin’ from a suspicious IP address.

No further activity was seen until 12 October, when Talos and the TAC detected what appeared to be a new cluster of related activity, when an unauthorised user created a local user account with the name ‘cisco_support’ from a different suspicious IP address.

This time around, the user carried out several subsequent actions, deploying an implant file, likely delivered via the long-patched CVE-2021-1435 vulnerability, suggesting that victims have failed to pay adequate attention to patching.

The implant comprises a configuration file that defines a new web server endpoint (uniform resource identifier or URI path) used to interact with the implant. The endpoint then receives certain parameters allowing the intruder to execute arbitrary commands at system or IOS level.

If this implant is to become active, the intruder needs to restart the web server but in at least one instance this did not happen. Talos additionally noted that the implant is not persistent, meaning a device reboot will get ride of it, but the newly-created user accounts will remain active with full admin rights, so presumably can start over.

“We assess that these clusters of activity were likely carried out by the same actor. Both clusters appeared close together, with the October activity appearing to build off the September activity,” wrote the Talos research team.

“The first cluster was possibly the actor’s initial attempt and testing their code, while the October activity seems to show the actor expanding their operation to include establishing persistent access via deployment of the implant.”