REDLEGG BLOG
Emergency Security Bulletin | RedLegg | 96Bravo

Emergency Security Bulletin: Cisco IOS XE Web UI Privilege Escalation Vulnerability

10/18/23 1:34 PM  |  by RedLegg Blog

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

RedLegg will include a brief description of the vulnerability, whether or not an active exploit or POC exists, and then a link to an update, if any, exists. If no update exists, there will be remediation or mitigation suggestions to limit each vulnerability's risk.

 

Executive Summary

On October 16, 2023, CISA, Cisco, and Talos published individual advisories for CVE-2023-20198 based on the active exploitation of Cisco IOS XE software. Exploitation of this vulnerability may occur if the Web UI feature is enabled and exposed to the internet or another untrusted network. By default, Cisco IOS XE devices do not have Web UI functionality enabled. When exploitation of CVE-2023-20198 occurs, an adversary may be able to make requests to create a new user with privilege level 15 access (Administrative access) without prior authentication. Local user accounts that have been reported being created on affected devices are cisco_tac_admin and cisco_support, though the use of any username is possible. If you observe the unexpected creation or use of these local user accounts, it may warrant the need for further investigation. There is currently no patch for this vulnerability and Cisco advises that their customers disable the Web UI used for management of IOS XE devices. If you are concerned about potential exploitation of this Cisco Web UI vulnerability RedLegg recommends that you disable the Web UI service on your Cisco IOS devices until a patch is available. Cisco’s PSIRT advisory contains additional techniques to identify and mitigate abuse of the Web UI service. RedLegg also recommends taking steps to implement guidance provided in CISA’s Binding Operational Directive (BOD) 23-02 to mitigate further risks based on internet-exposed management interfaces.

 

VULNERABILITIES

CISCO IOS XE WEB UI PRIVILEGE ESCALATION VULNERABILITY

Identifier: CVE-2023-20198
Exploit or POC: Yes, Not public.
Advisory: Cisco Security Advisory – Cisco IOS XE Software Web UI Privilege Escalation VulnerabilityDescription: CVE-2023-20198 allows for unauthenticated privilege escalation. See executive summary for amplified description.
Mitigation recommendation: Disable WebUI Services, disallow management interfaces from being publicly available, and identify and remove any implants from Cisco devices.

Get Blog Updates

Related Articles

Emergency Security Bulletin: Microsoft & Ivanti Vulnerabilities Bulletin, Vulnerability Bulletins

Emergency Security Bulletin: Microsoft & Ivanti Vulnerabilities

About: RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide ...
Emergency Security Bulletin: PAN-OS Management Interface Remote Code Execution Vulnerability Bulletin, Vulnerability Bulletins

Emergency Security Bulletin: PAN-OS Management Interface Remote Code Execution Vulnerability

About: RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide ...
Critical Security Vulnerabilities Bulletin