Critical vulnerability affecting Cisco IOS XE exploited in the wild (CVE-2023-20198)

Updated , 24/10/2023 - Threat actors tried to hide implants on Cisco devices, most remain compromised

As we anticipated, the operation which managed to very rapidly hide implants located on compromised Cisco assets was conducted by the attackers themselves, in an effort to hide the backdoors from public oversight. Indeed, threat actors added an authorization header necessary for viewing the malicious implant, that is now provided within the curl command recommended by Cisco in an update of their initial advisory:

[curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"]

Fox-IT, that first publicly mentioned this change yesterday in a tweet, also figured out another query can be made to detect whether one device is compromised, using a simple command such as:

[curl -k "https[:]//DEVICEIP/%25"]

Cisco added this disclaimer to this new detection capability:

"If this returns a 404 HTTP response with an HTML page comprising of a “404 Not Found” message, a known variation of the implant is present. A system without the implant should return either only the standard 404 HTTP response, or a JavaScript redirect 200 HTTP response. Note: The above checks should use the HTTP scheme if the device is only configured for an insecure web interface."

In the end, this latest move by the threat actor means most implants are still present
on the instances. This is confirmed by the new scans conducted since, for example by
ShadowServer, which still found more than 30,000 compromised devices. It also means the backdoor remains available to the threat actors, a single group being still believed to be behind this campaign. This also means the original hacker is still active, even though we don't know the real objective behind this spree yet, nor who it might be.

As of writing, there is no working public PoC for the exploited vulnerability, limiting the risk that other opportunistic attackers start exploiting them. We did actually notice an increase of scanning attempts trying to do reconnaissance of the exposed web UI using the classic Cisco IOS XE path (i.e. "/webui/logoutconfirm.html?logon_hash=1").

The risk level associated to this advisory remains high for now.

17 and 20/10/2023

According to a threat advisory released by Cisco Talos on October 16, a new and maximum severity 0-day vulnerability in its IOS XE Software is being currently leveraged by at least one threat actor to gain full administrator privileges and take complete control of affected routers. Tracked as CVE-2023-20198 (link to detailed page for our clients), this critical flaw is yet to be patched by the vendor. However, users can disable the HTTP server feature from Internet-facing assets, which would remove the attack vector and block incoming attacks.

The vendor warned that this vulnerability only affects physical and virtual devices with the Web User Interface (Web UI) feature enabled, that also have the HTTP or HTTPS Server feature toggled on. Administrators of such at-risk assets should temporarily disabled this feature to mitigate the risks (or restrict access to trusted networks), after conducting some simple investigations (suspicious accounts created, trafic from 2 malicious IP addresses, implant located on the system).

The Orange Cyberdefense #CERT Team discovered over 34,500 IOS XE IPs compromised by the critical vulnerability that Cisco scored at 10, the highest possible score. Read the full article on SC Media: Thousands of devices exposed to critical Cisco IOS XE software bug | SC Media (scmagazine.com)

Sign up for our World Watch newsletter for further updates on this case and future security events & incidents.

World Watch

According to Cisco, when exploited, this vulnerability allows an attacker to create a malicious account on the affected device with high privileges, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity. The vulnerability and the attacks were discovered by Cisco's Technical Assistance Center (TAC) at the end of September after reports of unusual behavior on a customer device.

Following a thorough investigation, the company traced back the malicious activity to September 18, when an authorized user created a local user account with the username "cisco_tac_admin" from a suspicious IP address. On October 12, another "cisco_support" local user account was created from a second suspicious IP address. The attackers also deployed a malicious implant to execute arbitrary commands at the system or IOS levels. Cisco Talos believes that these two clusters of activity were launched by the same threat actor:

To drop this backdoor, the attackers leveraged a vulnerability tracked as CVE-2021-1435 (link to detailed page for our customers) which was patched by the vendor back in 2021. But here the flaw was successfully exploited even in patched devices "through an as of yet undetermined mechanism" added Cisco Talos.

As a workaround, users can disable the HTTP server feature on Internet-facing systems, which would remove the attack vector and block incoming attacks. If not possible, you should at least restrict it to trusted networks only. CISA quickly released an alert the same day, encouraging users to apply the mitigation measure proposed by the vendor.

We also encourage you if in the scope of this threat to hunt for the 2 IP addresses provided by Cisco, and to run a command provided by Cisco to check whether the implant was installed or not on your device:

# curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1" #

(Disclaimer: this check works only if the attacker restarted the web server).

3 new Snort signatures were also released by the vendor.

Cisco updated its advisory, as they identified the privilege escalation 0-day flaw used in conjunction with CVE-2023-20198 in this attack. This vulnerability received a new CVE identifier CVE-2023-20273 and is actually not tied to one older vulnerability (CVE-2021-1435), initially believed to be leveraged through a new mean. Furthermore, Cisco announced the progressive release of patches starting on October 22, with a first one available (17.9.4a, for the 17.9 branch) already. Older branches will most probably be fixed in upcoming days. 

A workaround user can disable the HTTP server feature on internet-facing systems, which would remove the attack vector and block incoming attacks. Cisco Talos also asks users to use the no ip http server or no ip http secure-server command in global configuration mode. Organizations should also look for unexplained or recently created user accounts as potential indicators of malicious activity associated with this threat.