CVE-2023–20198, Cisco IOS-XE

2 min readOct 17, 2023

Intro

Reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.

Indicators of Compromise

To determine whether a system may have been compromised, perform the following checks:

Check the system logs for the presence of any of the following log messages where user could be cisco_tac_admin, cisco_support or any configured, local user that is unknown to the network administrator:

%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line

%SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023

Using Wazuh Detection Rules:

If you use Wazuh to ingest system and network logs from Cisco devices, these detection rules are used by default.

For events matching rule id = 4721:

  <rule id="4721" level="3">
    <if_sid>4715</if_sid>
    <id>^%SYS-5-CONFIG</id>
    <description>Cisco IOS router configuration changed.</description>
    <group>config_changed,pci_dss_10.2.7,gpg13_3.7,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

Check log message similar to “Configured programmatically by process SEP_webui_wsma_http from console as user on line”

Using Cisco Talos Recommended Command

Cisco Talos has provided the following command to check for the presence of the implant where systemip is the IP address of the system to check. This command should be issued from a workstation with access to the system in question:

curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"

If the request returns a hexadecimal string, the implant is present.

Python script to run Talos command in a list of IOS-XE devices:

import requests
import re

# List of system IPs to check
systemips = ['192.168.1.1', '192.168.1.2', '192.168.1.3']

# URL template
url_template = "https://{systemip}/webui/logoutconfirm.html?logon_hash=1"

# CVE-2023-20198
cve = 'CVE-2023-20198'

# Function to check if a string is hexadecimal
def is_hexadecimal_string(s):
    return bool(re.match(r'^[0-9a-fA-F]+$', s))

for systemip in systemips:
    url = url_template.format(systemip=systemip)

    try:
        response = requests.post(url)
        if response.status_code == 200:
            response_text = response.text

            if is_hexadecimal_string(response_text):
                print(f"{systemip}, {cve}, implant found")
            else:
                print(f"{systemip}, {cve}, No match")
        else:
            print(f"{systemip}, {cve}, Request failed with status code {response.status_code}")
    except requests.exceptions.RequestException as e:
        print(f"{systemip}, {cve}, Request failed with an exception: {str(e)}")

print("Done checking system IPs for CVE-2023-20198.")

Workarounds

There are no workarounds that address this vulnerability.

Recommendations

Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

Exploitation and Public Announcements

Cisco is aware of active exploitation of this vulnerability.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/