Fortis Security Advisory: Cisco IOS XE Web UI Vulnerability
On Monday October 16th, 2023, Cisco released an advisory that identified and confirmed active exploitation of a previously undisclosed vulnerability (CVE-2023-20198) within the Web User Interface (Web UI) feature of Cisco IOS XE software. This vulnerability poses a critical risk as successful exploitation would allow a remote attacker full control of the device without the need to authenticate. Cisco Talos has observed this vulnerability being exploited by an attacker installing a malicious piece of code which could allow them to perform additional unauthorized command execution. This type of malicious activity by an attacker has the potential to disrupt business operations if the attacker modifies routing, switching, access point, or other configurations because of compromise of these devices. As of Monday October 16th, 2023, all instances of Cisco IOS XE with the Web UI feature enabled are vulnerable to this exploit.
What Action is Fortis by Sentinel Taking for ActiveDefense Services Customers?
The Threat Intelligence team is proactively working to produce high-fidelity ticketing alerts to cover any gaps in coverage regarding the IoCs associated with this malicious activity. The Fortis Threat Investigation team is reviewing this list of IoCs and performing targeted threat hunting in our customers’ environments per Cisco’s advice and acting accordingly. If there are significant findings in your environment, a Threat Investigation Analyst will be in contact with you. If you have any concerns or questions on potential impact in your environment, please contact your Fortis CXM or open a case in your MySentinel portal.
What Action is Sentinel Taking for Managed Services Customers?
Customers with affected IOS XE managed devices that are directly exposed to the Internet are being prioritized as they are at the highest risk. Sentinel will be executing and evaluating the HTTP response noted below (see indicators of compromise section) to determine if the device has the implant installed for all devices found to be externally available and running the http server.
Managed Service clients with externally available affected devices will have proactive cases opened on their behalf for triage, remediation, and communications. If the client does not have NOC managed services but requires assistance in validation and remediation, we can provide these services at T&M (time & material) rates.
At the time of this advisory, the vulnerability affects Cisco IOS XE Software if the Web UI feature is enabled. The Web UI feature is enabled via the IP http server or IP http secure-server commands. If you don’t use Cisco IOS XE with the Web UI feature enabled, then no action is necessary at this time.
Products Confirmed Not Vulnerable: Instances of Cisco IOS XE with the Web UI feature not enabled are not currently vulnerable to this exploit.
Cisco has provided specific recommendations to mitigate this vulnerability, please refer to the linked Cisco article below for more in-depth instructions. Known IoCs are also listed below for reference.
Cisco plans to release software updates that address this vulnerability. To determine the availability of these updates and their applicability to your environment, regularly consult the advisories for Cisco products on the Cisco Security Advisories page.
Vulnerability ID: CVE-2023-20198
Vulnerability Description: This vulnerability is predicated on the Web UI feature enablement. If enabled this vulnerability allows remote, unauthenticated attackers to create privileged accounts on affected systems and allow unauthorized activity. Successful exploitation of this vulnerability allows remote, unauthenticated attackers to create privileged accounts on affected systems with level 15 access, effectively granting them full control of compromised devices. Both physical and virtual devices running Cisco IOS XE software with the HTTP or HTTPS Server feature enabled are vulnerable.
The Web UI serves as an embedded graphical user interface (GUI) tool within a system. This specialized system-management tool plays a pivotal role in streamlining various aspects of system administration. It offers administrators the capability to efficiently provision the system, simplifying the deployment process and enhancing overall manageability. One of its notable advantages is its accessibility through a graphical interface, which significantly contributes to an enhanced user experience. Importantly, the web UI comes pre-installed with the system's default image, eliminating the need for additional enabling steps or the installation of any licensing components. This inherent functionality ensures that users can immediately leverage its capabilities without any additional configuration hurdles.
Indicators of Compromise
Investigate system logs for suspicious logins/installations/files: To identify potential compromises, organizations are advised to check system logs for specific log messages. These log messages may indicate unauthorized access or unknown usernames:
%SYS-5-CONFIG_P: Indicates configurations created programmatically.
%SEC_LOGIN-5-WEBLOGIN_SUCCESS: Denotes successful web login.
%WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename Highlights unusual file installation actions.
Cisco Talos has provided a curl command to check for the presence of the implant which can be issued from a workstation with access to the affected system -
curl -k -X POST https://DEVICEIP/webui/logoutconfirm.html?logon_hash=1
Note: Please replace “DEVICEIP” with the device IP in question.
There are currently no active workarounds addressed regarding this vulnerability.
For more detailed information, refer to the full advisory available at the following URL:
Cisco Security Advisory
Cisco Talos has an associated blog posting available at the following URL: