The proof of concept (PoC) exploit code for a major vulnerability in Cisco IOS XE software, tracked as CVE-2023-20198, has been released to the public by researchers from Horizon3.ai. This vulnerability, which Cisco has recently alerted its customers about, is being actively exploited in cyber attacks. The tech giant discovered this flaw while resolving multiple Technical Assistance Center (TAC) support cases.
The CVE-2023-20198 vulnerability has been used by threat actors to compromise a large number of Cisco IOS XE devices. This flaw allows an attacker to gain administrative privileges and take control of vulnerable routers. According to the advisory issued by Cisco, the exploitation of this vulnerability enables a remote, unauthenticated attacker to create an account with privilege level 15 access on the affected system.
Cisco's advisory states, “This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.” The vulnerability impacts both physical and virtual devices that have the Web User Interface (Web UI) feature enabled and are using the HTTP or HTTPS Server feature.
The company advises administrators to inspect the system logs for certain log messages, where the user could be cisco_tac_admin, cisco_support, or any local user that is unknown to the network. Cisco also suggests disabling the HTTP server feature on systems exposed to the Internet.
The advisory includes Indicators of Compromise (IoCs) and states, “Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.”
A large-scale hacking campaign targeting Cisco IOS XE routers and switches has been observed, exploiting the said vulnerability. To detect systems infected with implants exposed on the internet, a scanner has been developed and released.
The severity of the situation is highlighted by the fact that privileged access on the IOS XE could allow attackers to monitor network traffic, pivot into protected networks, and carry out various man-in-the-middle attacks. Organizations are urged to use an IOS XE system to determine if their systems have been compromised.
Cybersecurity firm GreyNoise also reported malicious activity connected to the exploitation of this issue. Horizon3.ai researchers have disclosed technical details about the vulnerability along with the PoC exploit code. The researchers stated, “[the PoC code] is an example request that bypasses authentication on vulnerable instances of IOS-XE. This POC creates a user named ‘baduser’ with privilege level 15. Let’s dig into the details.”
Cisco has issued updates to rectify the security vulnerability. Customers are strongly advised to upgrade to a fixed software release as indicated by Cisco.