About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
RedLegg will include a brief description of the vulnerability, whether or not an active exploit or POC exists, and then a link to an update, if any, exists. If no update exists, there will be remediation or mitigation suggestions to limit each vulnerability's risk.
Executive Summary
On October 16, 2023, CISA, Cisco, and Talos published individual advisories for CVE-2023-20198 based on the active exploitation of Cisco IOS XE software. Exploitation of this vulnerability may occur if the Web UI feature is enabled and exposed to the internet or another untrusted network. By default, Cisco IOS XE devices do not have Web UI functionality enabled. When exploitation of CVE-2023-20198 occurs, an adversary may be able to make requests to create a new user with privilege level 15 access (Administrative access) without prior authentication. Local user accounts that have been reported being created on affected devices are cisco_tac_admin and cisco_support, though the use of any username is possible. If you observe the unexpected creation or use of these local user accounts, it may warrant the need for further investigation. There is currently no patch for this vulnerability and Cisco advises that their customers disable the Web UI used for management of IOS XE devices. If you are concerned about potential exploitation of this Cisco Web UI vulnerability RedLegg recommends that you disable the Web UI service on your Cisco IOS devices until a patch is available. Cisco’s PSIRT advisory contains additional techniques to identify and mitigate abuse of the Web UI service. RedLegg also recommends taking steps to implement guidance provided in CISA’s Binding Operational Directive (BOD) 23-02 to mitigate further risks based on internet-exposed management interfaces.
VULNERABILITIES
CISCO IOS XE WEB UI PRIVILEGE ESCALATION VULNERABILITY
Identifier: CVE-2023-20198
Exploit or POC: Yes, Not public.
Advisory: Cisco Security Advisory – Cisco IOS XE Software Web UI Privilege Escalation VulnerabilityDescription: CVE-2023-20198 allows for unauthenticated privilege escalation. See executive summary for amplified description.
Mitigation recommendation: Disable WebUI Services, disallow management interfaces from being publicly available, and identify and remove any implants from Cisco devices.