CVE-2023-20198 - Cisco IOS XE WebUI.
(WebUI) - Web User Interface
Description
Cisco Networking Software (Cisco IOS, Cisco IOS XE, Cisco IOS XR, and Cisco NX-OS) is the world's most widely deployed networking software. It integrates cutting-edge technology, business -critical services, and broad hardware platform support.
The Cisco Internetworking Operating System (IOS) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems. The system is a package of routing, switching, internetworking, and telecommunications functions integrated into a multitasking operating system.
The Cisco IOS XE does not use the IOS as the operating system, instead it uses a Linux operating system where IOS runs as a separate process (daemon) on Linux. All system functions run as separate processes which has a number of advantages, namely multiprocessing, which means that the workload of processes can be shared across multiple CPUs. When a single process crashes, it no longer takes down the entire OS.
A Web user interface allows a user to interact with content or software running on a remote server or router through a Web browser. The content or Web page is downloaded from the Web server and the user can interact with this content in a Web browser, which acts as a client. The Cisco IOS XE Web User Interface (WebUI) is used to configured a router after it has been installed, to enable traffic to pass through the network, it is also provides network administrators with a single solution for provisioning, monitoring, and optimising devices.
Problem
On the 16th Oct 2023, Cisco Systems, Inc. publicly disclosed Common Vulnerability and Exposure (CVE) Report CVE-2023-20198, this is privilege escalation vulnerability in the Web User Interface (WebUI) feature of Cisco's IOS XE software affecting both physical and virtual devices that have the HTTP or HTTPS Server feature enabled. Exploitation of this vulnerability would allow a threat actor to obtain initial access and create a privileged account, which is then used to create a local user account with normal privileges. No software patches or updates were released on the date of disclosure due to ongoing investigation into observed exploitation of the Web User Interface (WebUI) feature in Cisco IOS XE Software in the wild. Cisco System, Inc have since released a number of fixed software releases.
On the 25th Oct 2023, Cisco Systems, Inc. publicly disclosed Common Vulnerability and Exposure (CVE) Report CVE-2023-20273, this is a command injection vulnerability in the Web User Interface (WebUI) feature of Cisco's IOS XE software. A threat actor who had obtained access and created a local user account with normal privileges through the exploitation of CVE-2023-20198, could then inject or run arbitrary commands with elevated (root) privileges, in the underlying operating system.
Common Vulnerabilities & Exposures (CVEs)
Systems used for reporting and assessing the severity of security vulnerabilities.
| No. | System | Description |
|---|---|---|
| 1. | Common Vulnerabilities and Exposures (CVE). | The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures. |
| 2. | The Common Vulnerability Scoring System (CVSS). | CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical (0-10) representation of the severity of an information security vulnerability. |
CVSSv3.0 Metrics.
| No. | Base Score Range | Severity |
|---|---|---|
| 1. | 0.0 | None |
| 2. | 0.1 - 3.9 | Low |
| 3. | 4.0 - 6.9 | Medium |
| 4. | 7.0 - 8.9 | High |
| 5. | 9.0 - 10.0 | Critical |
List of CVEs & Cisco Security Advisory - Cisco IOS XE Web User Interface (WebUI).
| No. | CVE Report | Description | CVSSv3 | Disclosed | Advisory |
|---|---|---|---|---|---|
| 1. | CVE-2023-20198 |
Privilege Escalation Vulnerability in the WebUI feature of Cisco's IOS XE software. | 10.0 | 16-10-2023 | Cisco Security Advisory | 2. | CVE-2023-20273 |
A Command Injection Vulnerability in the WebUI feature of Cisco's IOS XE software. | 7.2 | 25-10-2023 | Cisco Security Advisory |
Note:
CVE-2023-20198:
CVE-2023-20273:
Solution
Recommendation to Constituents running Cisco IOS XE Web User Interface (WebUI).
Constituents running Cisco IOS XE Web User Interface (WebUI)., are advised to implement the recommendations as specified in the Cisco Security Advisory (Link in the table above) in relation to the publicly disclosed Vulnerabilities in Cisco IOS XE Software Web User Interface (WebUI) Feature (CVE-2023-20198 & CVE-2023-20273), which include the disabling of the HTTP Server feature on internet -facing systems, and to search and monitor for malicious activity on their network.
List of fixed IOS XE software releases and available Software Maintenance Upgrades (SMUs).
| No. | Cisco IOS XE Software Release Train. | First Fixed Release. | Available. |
|---|---|---|---|
| 1. | 17.9 | 17.9.4a | Yes |
| 2. | 17.6 | 17.6.6a | Yes |
| 3. | 17.3 | 17.3.8a | Yes |
| 4. | 16.12 (Catalyst 3650 and 3850 only) | 16.12.10a | Yes |
Additional Information
Cisco Security Advisory - Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature.CISCO Talos - Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities.
Rapid7 - CVE-2023-20198: Active Exploitation of Cisco IOS XE Zero-Day Vulnerability.
US CISA - Guidance for Addressing Cisco IOS XE Web UI.