On October 16, 2023, Cisco published a security advisory regarding an actively exploited and unpatched privilege escalation vulnerability in the Web UI feature of the Cisco IOS XE operating system, both physical and virtual. The vulnerability could allow a remote, unauthenticated threat actor to create an account with maximum privileges (privilege level 15 access) on the affected device. Due to these factors, Cisco has given this vulnerability the maximum possible CVSS score of 10.
Note: The HTTP or HTTPS Server feature must be enabled to be vulnerable.
According to Cisco Talos, initial exploitation goes back to at least September 18th. The threat actors leveraged CVE-2023-20198 for initial access and then leveraged an older vulnerability (CVE-2021-1435) to install a malicious configuration file on the system to achieve arbitrary command execution. Cisco Talos states that they have also observed devices fully patched against CVE-2021-1435 getting the configuration file successfully installed through a currently unknown method. Although active exploitation has occurred, Arctic Wolf has not identified a proof-of-concept (PoC) exploit published publicly.
Recommendations for CVE-2023-20198
Cisco does not have a patch available for this vulnerability at this time. Cisco recommends implementing the following workaround as a temporary fix to prevent exploitation until patches are made available.
Restrict Access for the HTTP Server Feature on all Internet-Facing Systems
In order for CVE-2023-20198 to be exploited the HTTP or HTTPS Server feature must be enabled. To check if the feature is enabled on a system, log into the Cisco device and run the following command:
show running-config | include ip http server|secure|active
If either the ip http server command or the ip http secure-server are present in the output, the feature is enabled. The following is an example of the command and its output for a system with the feature enabled:
- Router# show running-config | include ip http server|secure|active
- ip http server
- ip http secure-server
Note: If the ip http server command is present along with ip http active-session-modules none then the vulnerability is not exploitable over HTTP.
Note: If the ip http secure-server command is present along with ip http secure-active-session-modules none then the vulnerability is not exploitable over HTTPS.
Cisco assesses with high confidence that applying access lists to the HTTP server feature to restrict access from untrusted hosts and networks is an effective mitigation of CVE-2023-20198.
If your organization does not run services that require HTTP or HTTPS communication, Cisco recommends disabling the feature. To disable the feature, use the no ip http server or no ip http secure-server commands in global configuration mode depending on if the HTTP server or HTTPS server is in use. If both are in use, then both commands need to be run.
After implementing changes, ensure the copy running-configuration startup-configuration command is run to save your changes so that the feature does not get re-enabled during a system reload.
Note: When implementing access controls for these services, be sure to review these controls for any potential disruption to your operations.