CVE-2023-20198

Description

Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.

Add Assessment

cbeek-r7 (99)

October 17, 2023 6:12am UTC (6 months ago)•

Ratings

Attacker Value

Very High

Exploitability

High

CISA KEV Listed Gives privileged access Unauthenticated

Technical Analysis

Cisco has detected ongoing exploitation of an undisclosed vulnerability within the web user interface (UI) component of Cisco IOS XE Software, particularly when it is accessible via the internet or untrusted networks. This vulnerability permits an external, unauthenticated malicious actor to establish an account on a compromised system with full privilege level 15 access. This unauthorized account can subsequently be leveraged to assume control over the compromised system.

This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.

To assess whether a system might have been infiltrated, carry out the following verifications:

Examine the system logs for indications of the following log messages, with “user” referring to any entities such as “cisco_tac_admin,” “cisco_support,” or any locally configured user that remains unfamiliar to the network administrator. Cisco has published more details of possible indicators of compromise in their advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

10.0 Critical

Impact Score:

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Changed

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Cisco IOS XE Software 16.1.1

Cisco IOS XE Software 16.1.2

Cisco IOS XE Software 16.1.3

Cisco IOS XE Software 16.2.1

Cisco IOS XE Software 16.2.2

Cisco IOS XE Software 16.3.1

Cisco IOS XE Software 16.3.2

Cisco IOS XE Software 16.3.3

Cisco IOS XE Software 16.3.1a

Cisco IOS XE Software 16.3.4

Cisco IOS XE Software 16.3.5

Cisco IOS XE Software 16.3.5b

Cisco IOS XE Software 16.3.6

Cisco IOS XE Software 16.3.7

Cisco IOS XE Software 16.3.8

Cisco IOS XE Software 16.3.9

Cisco IOS XE Software 16.3.10

Cisco IOS XE Software 16.3.11

Cisco IOS XE Software 16.4.1

Cisco IOS XE Software 16.4.2

Cisco IOS XE Software 16.4.3

Cisco IOS XE Software 16.5.1

Cisco IOS XE Software 16.5.1a

Cisco IOS XE Software 16.5.1b

Cisco IOS XE Software 16.5.2

Cisco IOS XE Software 16.5.3

Cisco IOS XE Software 16.6.1

Cisco IOS XE Software 16.6.2

Cisco IOS XE Software 16.6.3

Cisco IOS XE Software 16.6.4

Cisco IOS XE Software 16.6.5

Cisco IOS XE Software 16.6.4a

Cisco IOS XE Software 16.6.5a

Cisco IOS XE Software 16.6.6

Cisco IOS XE Software 16.6.7

Cisco IOS XE Software 16.6.8

Cisco IOS XE Software 16.6.9

Cisco IOS XE Software 16.6.10

Cisco IOS XE Software 16.7.1

Cisco IOS XE Software 16.7.1a

Cisco IOS XE Software 16.7.1b

Cisco IOS XE Software 16.7.2

Cisco IOS XE Software 16.7.3

Cisco IOS XE Software 16.7.4

Cisco IOS XE Software 16.8.1

Cisco IOS XE Software 16.8.1a

Cisco IOS XE Software 16.8.1b

Cisco IOS XE Software 16.8.1s

Cisco IOS XE Software 16.8.1c

Cisco IOS XE Software 16.8.1d

Cisco IOS XE Software 16.8.2

Cisco IOS XE Software 16.8.1e

Cisco IOS XE Software 16.8.3

Cisco IOS XE Software 16.9.1

Cisco IOS XE Software 16.9.2

Cisco IOS XE Software 16.9.1a

Cisco IOS XE Software 16.9.1b

Cisco IOS XE Software 16.9.1s

Cisco IOS XE Software 16.9.3

Cisco IOS XE Software 16.9.4

Cisco IOS XE Software 16.9.3a

Cisco IOS XE Software 16.9.5

Cisco IOS XE Software 16.9.5f

Cisco IOS XE Software 16.9.6

Cisco IOS XE Software 16.9.7

Cisco IOS XE Software 16.9.8

Cisco IOS XE Software 16.10.1

Cisco IOS XE Software 16.10.1a

Cisco IOS XE Software 16.10.1b

Cisco IOS XE Software 16.10.1s

Cisco IOS XE Software 16.10.1c

Cisco IOS XE Software 16.10.1e

Cisco IOS XE Software 16.10.1d

Cisco IOS XE Software 16.10.2

Cisco IOS XE Software 16.10.1f

Cisco IOS XE Software 16.10.1g

Cisco IOS XE Software 16.10.3

Cisco IOS XE Software 16.11.1

Cisco IOS XE Software 16.11.1a

Cisco IOS XE Software 16.11.1b

Cisco IOS XE Software 16.11.2

Cisco IOS XE Software 16.11.1s

Cisco IOS XE Software 16.12.1

Cisco IOS XE Software 16.12.1s

Cisco IOS XE Software 16.12.1a

Cisco IOS XE Software 16.12.1c

Cisco IOS XE Software 16.12.1w

Cisco IOS XE Software 16.12.2

Cisco IOS XE Software 16.12.1y

Cisco IOS XE Software 16.12.2a

Cisco IOS XE Software 16.12.3

Cisco IOS XE Software 16.12.8

Cisco IOS XE Software 16.12.2s

Cisco IOS XE Software 16.12.1x

Cisco IOS XE Software 16.12.1t

Cisco IOS XE Software 16.12.4

Cisco IOS XE Software 16.12.3s

Cisco IOS XE Software 16.12.3a

Cisco IOS XE Software 16.12.4a

Cisco IOS XE Software 16.12.5

Cisco IOS XE Software 16.12.6

Cisco IOS XE Software 16.12.1z1

Cisco IOS XE Software 16.12.5a

Cisco IOS XE Software 16.12.5b

Cisco IOS XE Software 16.12.1z2

Cisco IOS XE Software 16.12.6a

Cisco IOS XE Software 16.12.7

Cisco IOS XE Software 16.12.9

Cisco IOS XE Software 16.12.10

Cisco IOS XE Software 17.1.1

Cisco IOS XE Software 17.1.1a

Cisco IOS XE Software 17.1.1s

Cisco IOS XE Software 17.1.1t

Cisco IOS XE Software 17.1.3

Cisco IOS XE Software 17.2.1

Cisco IOS XE Software 17.2.1r

Cisco IOS XE Software 17.2.1a

Cisco IOS XE Software 17.2.1v

Cisco IOS XE Software 17.2.2

Cisco IOS XE Software 17.2.3

Cisco IOS XE Software 17.3.1

Cisco IOS XE Software 17.3.2

Cisco IOS XE Software 17.3.3

Cisco IOS XE Software 17.3.1a

Cisco IOS XE Software 17.3.1w

Cisco IOS XE Software 17.3.2a

Cisco IOS XE Software 17.3.1x

Cisco IOS XE Software 17.3.1z

Cisco IOS XE Software 17.3.4

Cisco IOS XE Software 17.3.5

Cisco IOS XE Software 17.3.4a

Cisco IOS XE Software 17.3.6

Cisco IOS XE Software 17.3.4b

Cisco IOS XE Software 17.3.4c

Cisco IOS XE Software 17.3.5a

Cisco IOS XE Software 17.3.5b

Cisco IOS XE Software 17.3.7

Cisco IOS XE Software 17.3.8

Cisco IOS XE Software 17.4.1

Cisco IOS XE Software 17.4.2

Cisco IOS XE Software 17.4.1a

Cisco IOS XE Software 17.4.1b

Cisco IOS XE Software 17.4.2a

Cisco IOS XE Software 17.5.1

Cisco IOS XE Software 17.5.1a

Cisco IOS XE Software 17.5.1b

Cisco IOS XE Software 17.5.1c

Cisco IOS XE Software 17.6.1

Cisco IOS XE Software 17.6.2

Cisco IOS XE Software 17.6.1w

Cisco IOS XE Software 17.6.1a

Cisco IOS XE Software 17.6.1x

Cisco IOS XE Software 17.6.3

Cisco IOS XE Software 17.6.1y

Cisco IOS XE Software 17.6.1z

Cisco IOS XE Software 17.6.3a

Cisco IOS XE Software 17.6.4

Cisco IOS XE Software 17.6.1z1

Cisco IOS XE Software 17.6.5

Cisco IOS XE Software 17.6.6

Cisco IOS XE Software 17.7.1

Cisco IOS XE Software 17.7.1a

Cisco IOS XE Software 17.7.1b

Cisco IOS XE Software 17.7.2

Cisco IOS XE Software 17.10.1

Cisco IOS XE Software 17.10.1a

Cisco IOS XE Software 17.10.1b

Cisco IOS XE Software 17.8.1

Cisco IOS XE Software 17.8.1a

Cisco IOS XE Software 17.9.1

Cisco IOS XE Software 17.9.1w

Cisco IOS XE Software 17.9.2

Cisco IOS XE Software 17.9.1a

Cisco IOS XE Software 17.9.1x

Cisco IOS XE Software 17.9.1y

Cisco IOS XE Software 17.9.3

Cisco IOS XE Software 17.9.2a

Cisco IOS XE Software 17.9.1x1

Cisco IOS XE Software 17.9.3a

Cisco IOS XE Software 17.9.4

Cisco IOS XE Software 17.9.1y1

Cisco IOS XE Software 17.11.1

Cisco IOS XE Software 17.11.1a

Cisco IOS XE Software 17.12.1

Cisco IOS XE Software 17.12.1a

Cisco IOS XE Software 17.11.99SW

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

cisco

Products

ios xe

Metasploit Modules

auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198.rb)

exploit/linux/misc/cisco_ios_xe_rce (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/cisco_ios_xe_rce.rb)

auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273.rb)

Exploited in the Wild

Reported by:

inokii indicated sources as

Vendor Advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/10/16/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: October 17, 2023 5:08am UTC (6 months ago)

cbeek-r7 indicated sources as

Government or Industry Alert (https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/cisco-ios-xe-software-web-ui-zero-day-vulnerability)
Personally observed in an environment (https://www.rapid7.com/blog/post/2023/10/17/etr-cve-2023-20198-active-exploitation-of-cisco-ios-xe-zero-day-vulnerability/)

Reported: October 18, 2023 7:32am UTC (6 months ago) • Edited 5 months ago

References

Canonical

CVE-2023-20198 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20198)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

PoC (https://github.com/smokeintheshell/CVE-2023-20198)

cisco-ios-xe-implant-detection (https://github.com/fox-it/cisco-ios-xe-implant-detection)

CVE-2023-20198-Scanner (https://github.com/Shadow0ps/CVE-2023-20198-Scanner)

CVE-2023-20198 (https://github.com/Atea-Redteam/CVE-2023-20198)

CVE-2023-20198-RCE (https://github.com/W01fh4cker/CVE-2023-20198-RCE)