Cisco Finds Two New IOS XE Software Web UI Zero-Day Vulnerabilities

Cisco IOS XE Software, a critical component of many Cisco network devices, has recently been found to have vulnerabilities in its Web UI feature. These vulnerabilities, if exploited, can provide attackers with significant access and control over affected devices. The vulnerabilities are particularly concerning for systems where the web UI feature is activated in the Cisco IOS XE Software. The activation of this feature is typically done using the ip http server or ip http secure-server commands. If a system administrator has used either of these commands, the device is potentially vulnerable. Cisco’s internal investigation has uncovered two distinct vulnerabilities: CVE-2023-20198 and CVE-2023-20273, which in tandem can result in a privilege escalation and system compromisation.

CVE-2023-20198: Privilege Escalation in Cisco IOS XE Software Web UI

This vulnerability allows attackers to gain initial access to the device. Specifically, attackers exploit this vulnerability to issue a privilege 15 command, which in turn allows them to create a local user with a specific password. This user can then log in with standard user access rights.

Technical Details:

• Nature of Vulnerability: CVE-2023-20198 is a privilege escalation flaw in the web UI feature of Cisco IOS XE software. Both physical and virtual devices with the HTTP or HTTPS Server feature enabled are vulnerable.
• Exploitation Path: The exploitation allows an attacker to gain full administrative rights and unauthorized access to the system. Once the attacker has secured this privileged account, they can create a secondary local user account with standard access rights. This user serves as a pivot for further exploits, particularly to leverage the subsequent vulnerability, CVE-2023-20273.

CVE-2023-20273: Command Injection in Cisco IOS XE Software Web UI

Once initial access is secured, attackers can exploit this second vulnerability. Leveraging the previously created local user, they can elevate their privileges to the ‘root’ level. With root access, they can write malicious implants to the device’s file system.

Technical Details:

• Nature of Vulnerability: CVE-2023-20273 is a command injection flaw within the Web UI feature of Cisco’s IOS XE software. While it can be exploited independently, its potential is significantly amplified when used in tandem with CVE-2023-20198.
• Exploitation Path: With a local user account, attackers can exploit this vulnerability to inject arbitrary commands. This ability becomes particularly concerning when these commands are executed with root privileges, offering the attacker almost unrestricted control over the device’s functionalities and data.

Sequential Exploitation

As per the sequence outlined, after obtaining initial access and creating a privileged account via CVE-2023-20198, an attacker creates a local user account with normal privileges. Utilizing this local user account, the attacker exploits CVE-2023-20273 to run commands with elevated (root) privileges on the device, further consolidating their hold on the system. Both vulnerabilities are being actively tracked by Cisco under the identifier CSCwh87343.

Mitigation and Recommendations

Given the seriousness of the vulnerabilities discovered in the Cisco IOS XE Software’s Web UI feature, we urge all stakeholders to take immediate and decisive action, including the following steps:

1. Check for Affected Systems: System administrators should immediately verify if the HTTP Server feature is operational on their devices. This can be achieved by logging into the system and using specific CLI commands. If the ip http server or ip http secure-server command is present in the global configuration, the device is potentially at risk.
2. Disable the HTTP Server Feature: Cisco’s primary recommendation is to disable the HTTP Server feature on all devices that are accessible from the internet. This can be achieved using the no ip http server and no ip http secure-server commands in the global configuration mode.
3. Limit Access: If disabling the HTTP Server feature is not feasible, it’s crucial to restrict its access only to trusted source addresses. Cisco believes that access lists applied to the HTTP Server feature, which limit access from untrusted hosts and networks, can effectively mitigate risks.
4. Upgrade: Cisco advises all customers to upgrade to a fixed software release that addresses these vulnerabilities. They have provided a detailed table in their advisory to guide customers on the appropriate software versions.
5. Stay Informed: As this is an evolving situation, it’s essential to stay updated with announcements from Cisco. The company has committed to updating their advisory as more information becomes available.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

https://www.netizen.net/contact