Cisco Releases Security Advisory for Actively Exploited Vulnerability CVE-2023-20198

The security advisory addresses a critical privilege escalation vulnerability found in Cisco IOS XE Software Web UI

Threat ID:: CC-4395
Threat Severity:: High
Published:: 17 October 2023 4:50 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The security advisory addresses a critical privilege escalation vulnerability found in Cisco IOS XE Software Web UI

Affected platforms

The following platforms are known to be affected:

Versions: All versions where the web UI feature is enabled

Cisco IOS XE

Threat details

Introduction

Cisco has released a security advisory for an exploited zero-day vulnerability tracked as CVE-2023-20198. The critical vulnerability, with a CVSSv3 score of 10, is a privilege escalation vulnerability.

An unauthenticated, remote attacker could exploit this vulnerability to create an account on an affected system with privilege level 15 access. This account could then be used to gain control of the targeted system.

Exploitation of CVE-2023-20198

Cisco are aware of active exploitation of this vulnerability. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-20198 to their Known Exploited Vulnerability Catalog based on evidence of active exploitation in the wild.

Remediation advice

Affected organisations are required to review the Cisco Security Advisory cisco-sa-iosxe-webui-privesc-j22SaA4z and apply the relevant recommendations.

Remediation steps

Type	Step
Guidance	Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
Guidance	The following decision tree can be used to help determine how to triage an environment and deploy protections: Are you running IOS XE? No. The system is not vulnerable. No further action is necessary. Yes. Is ip http server or ip http secure-server configured? No. The vulnerability is not exploitable. No further action is necessary. Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)? No. Disable the HTTP Server feature. Yes. If possible, restrict access to those services to trusted networks. When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services. If you are unsure of these steps, work with your support organization to determine appropriate control measures.
Guidance	After implementing any changes, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the changes are not reverted in the event of a system reload.

Type

Step

Guidance

Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

Guidance

The following decision tree can be used to help determine how to triage an environment and deploy protections:

Are you running IOS XE?
- No. The system is not vulnerable. No further action is necessary.
- Yes. Is ip http server or ip http secure-server configured?
  - No. The vulnerability is not exploitable. No further action is necessary.
  - Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
    - No. Disable the HTTP Server feature.
    - Yes. If possible, restrict access to those services to trusted networks.

When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services. If you are unsure of these steps, work with your support organization to determine appropriate control measures.

Guidance

After implementing any changes, use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the changes are not reverted in the event of a system reload.

Definitive source of threat updates

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

CVE Vulnerabilities

Status Published

CVE-2023-20198

Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory Cisco will provide updates on the status of this investigation and when a software patch is available.

Last edited: 17 October 2023 4:50 pm