Table of Contents
  • Home
  • /
  • Blog
  • /
  • Protect Your Cisco Devices from CVE-2023-20198- A Critical Privilege Escalation Vulnerability in Cisco IOS XE
October 19, 2023

Protect Your Cisco Devices from CVE-2023-20198- A Critical Privilege Escalation Vulnerability in Cisco IOS XE

Protect Your Cisco Devices From Cve 2023 20198 A Critical Privilege Escalation Vulnerability In Cisco Ios Xe

Cisco recently disclosed a critical privilege escalation vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software, tracked as CVE-2023-20198. This vulnerability allows an unauthenticated remote attacker to gain full administrator privileges on affected Cisco switches, routers and other devices running vulnerable versions of IOS XE.

According to Cisco’s advisory, the vulnerability exists when the web UI feature is enabled via the ip http server or ip http secure-server commands. Successful exploitation gives the attacker complete control of the device and the ability to monitor traffic, pivot to protected networks, and conduct man-in-the-middle attacks. Cisco has rated this as a maximum severity bug with the CVSS score of 10 out of 10.

This is an actively exploited zero-day vulnerability, with over 35,000 internet-facing Cisco devices already confirmed infected. Cisco has strongly urged administrators to disable the web UI feature on externally exposed devices until a patch is released. In this post, we will examine the details and impact of CVE-2023-20198, a critical privilege escalation vulnerability in Cisco IOS XE, as well as steps to detect compromise and mitigate risk.

A Short Introduction to Cisco IOS XE

Cisco IOS XE is an open and flexible operating system optimized for enterprise wired and wireless access, aggregation, core, and WAN environments. It reduces business and network complexity by serving as the single OS across Cisco’s enterprise networking portfolio.

Cisco IOS XE is supported on a wide range of Cisco products including enterprise switches like the Catalyst 9000 family, wireless controllers such as the Catalyst 9800 Series, access points like the Catalyst 9100 Series, aggregation routers including the ASR 1000 and ASR 900 Series, and branch routers like the ISR 4000 Series.

Cisco IOS XE provides several key benefits:

  • Resilience – Developed with high availability in mind, Cisco IOS XE reduces planned and unplanned downtime.

  • Security – It helps protect against modern cyberattacks through enhanced platform integrity, security, and resilience.

  • Automation – Cisco IOS XE enables model-driven programmability, application hosting, and configuration management to automate day-to-day tasks.

With its ability to connect, secure, and automate, Cisco IOS XE helps drive operational excellence across enterprise wired and wireless environments.

Summary of CVE-2023-20198

  • CVE ID: CVE-2023-20198

  • Description: Privilege Escalation Vulnerability in Cisco IOS XE Software Web UI

  • CVSS Score: 10.0 (Critical severity)

  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2023-20198 stems from insufficient access controls in the web-based user interface (web UI) of Cisco IOS XE software. When exposed to the internet, the web UI feature allows unauthenticated remote attackers to create user accounts with privilege level 15 access. This gives full administrative control of the affected device.

Successful exploitation is possible when the web UI is enabled via the ip http server or ip http secure-server commands. The attacker can then access the web UI and create a user account such as “cisco_tac_admin”. This account has complete control over the device configuration and traffic.

In addition to account creation, this flaw allows attackers to deploy malicious that allow arbitrary command execution on the compromised Cisco devices. As on October 18th, 2023 Orange’s CERT Coordination Center confirmed the compromise of 35,000 devices on twitter.

Cisco says, it first became aware of potential exploitation of this critical privilege escalation vulnerability in Cisco IOS XE software in late September 2023. The team observed two clusters of related malicious activity targeting the web UI feature.

The initial activity was observed on September 18th, in that an attacker created a local user account named “cisco_tac_admin” on a customer device from a suspicious IP address (5.149.249[.]74).

The second wave began on October 12th, with the creation of another local user “cisco_support” by an unauthorized attacker from a second suspicious IP address (154.53.56[.]231). However, this time, the team observed an implant with a configuration file named “cisco_service.conf” has been deployed.

According to Cisco, these two clusters of activity were likely conducted by the same threat actor. The September attacks appear to have been initial testing, while the October incidents showed the attacker expanding their operation by establishing persistent access through the implant.

Cisco has detailed about the implant and the initial vector in its blog post. We urge to visit the original publish here for comprehensive details.

Cisco Products Vulnerable to CVE-2023-20198

Essentially any Cisco device with IOS XE and the web UI enabled via ip http server or ip http secure-server commands is vulnerable. This encompasses many of Cisco’s enterprise wired and wireless access, aggregation, core, and WAN products.

Cisco has not yet released any software patches to address this critical IOS XE vulnerability. All vulnerable products will need to be updated once patches become available. In the meantime, follow the recommendations and check for compromise on your Cisco appliances.

To check if your Cisco device is vulnerable, you need to determine if the HTTP Server feature is enabled. This feature allows the web-based user interface that the attackers are exploiting with this vulnerability.

you can check the HTTP Server configuration by logging into the CLI of your Cisco device and running the command:

show running-config | include ip http server|secure|active

This will display any ip http server or ip http secure-server commands present in the running configuration. If either of these commands exist, then the HTTP Server feature is enabled and your device is likely vulnerable.

Specifically, the ip http server command enables HTTP access to the web interface. And ip http secure-server enables HTTPS access.

If you see the output of your command as like this, your device is vulnerable.

Router# show running-config | include ip http server|secure|active
ip http server
ip http secure-server

If you see this output in your device, then the vulnerability is not exploitable over either HTTP or HTTPS.

Router# show running-config | include ip http server|secure|active
ip http server
ip http active-session-modules none
ip http secure-server
ip http secure-active-session-modules none

How Do You Check Your Cisco Device is Compromised?

The first and farthermost thing to check is your system logs for any suspicious new user accounts. Specifically look for:

  • Accounts like “cisco_tac_admin” or “cisco_support”

  • Any other unknown privileged local users

Related log messages will look like:

%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http  
from console as user on line

%SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source:  
source_IP_address] at 03:42:13 UTC Wed Oct 11 2023

Next, check for unauthorized file installations by searching for:

%WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename

Finally, check for the pretense of the implant. Run this command to check the implant:

curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"

If it returns a hexadecimal string, the implant is present.

These checks can help identify unauthorized access and compromise of your Cisco devices through this vulnerability.

How Protect Your Cisco Devices from CVE-2023-20198?

Since this is a zero-day vulnerability, Cisco has not yet released wither workaround or any patches to address it. However, they have provided mitigation recommendations to prevent exploitation in the meantime:

  • Disable HTTP Server Feature – Cisco strongly recommends disabling the web UI feature entirely by using the commands:

no ip http server
no ip http secure-server

This closes the attack vector. But note this may impact other services that depend on HTTP/HTTPS.

  • Restrict Access – If you need to keep the web UI enabled, restrict access to only trusted networks using access control lists.

  • Remove External Exposure – Do not expose the web UI to the internet or any untrusted networks.

  • Check for Compromise – Monitor system logs to detect suspicious activity and run Cisco’s implant detection steps.

  • Save Configuration – Use copy running-configuration startup-configuration after making changes to save them across reboots.

As this is an actively exploited zero-day without any patch, administrators should immediately assess exposure and implement these recommendations. Stay tuned for updates from Cisco on official fixes for this critical IOS XE vulnerability. Disabling the web UI is the most effective mitigation until then.

CVE-2023-20198 with the highest CVSS score represents a dangerous new privilege escalation vulnerability in Cisco IOS XE allowing remote takeover of Cisco’s enterprise networking devices. All organizations using Cisco products should immediately audit for exposure and implement recommended mitigations. Completely disabling the web-based UI feature blocks this vulnerability for now. Practice proactive monitoring to detect signs of compromise until official patches become available. This zero-day threat puts networks at serious risk, making urgent assessment and preventative action a top priority.

We hope this post helps you know how to protect CVE-2023-20198, a critical privilege escalation vulnerability in Cisco IOS XE. Thanks for reading this post. Please share this post and help secure the digital world.Visit our website, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription