Cisco has provided an update regarding the ongoing investigation into the observed exploitation of the web UI feature in Cisco IOS XE Software. The initial fixed software releases are now available on the Cisco Software Download Center.

Cisco will continue to update the advisory as additional releases become available on the Cisco Software Download Center.

The investigation has identified that the attackers exploited two previously undisclosed vulnerabilities.

The initial exploit leveraged CVE-2023-20198 to gain initial access, allowing the attacker to issue a privilege 15 command, creating a local user and password combination. This granted the user normal access.

Subsequently, the attacker exploited another component of the web UI feature, using the new local user to escalate privileges to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue.

CVE-2023-20198 has received a CVSS Score of 10.0. CVE-2023-20273 has received a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.

For steps on securing against these vulnerabilities, please refer to the Recommendations section in this advisory.

This advisory is accessible at the following link:

Affected Products
Vulnerable Products
These vulnerabilities affect Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is activated using the ip http server or ip http secure-server commands.

Verifying HTTP Server Configuration
To check if the HTTP Server feature is enabled, log into the system and use the command ‘show running-config | include ip http server|secure|active’ in the CLI. Look for the presence of either ‘ip http server’ or ‘ip http secure-server’ command in the global configuration. If either command is present, the HTTP Server feature is enabled.

If ‘ip http server’ is present along with ‘ip http active-session-modules none’, these vulnerabilities are not exploitable over HTTP.

If ‘ip http secure-server’ is present along with ‘ip http secure-active-session-modules none’, these vulnerabilities are not exploitable over HTTPS.

Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.

The web UI is a built-in GUI-based system-management tool that facilitates system provisioning, simplifies deployment, and enhances user experience. It comes with the default image, requiring no additional enabling or licensing. The web UI enables configuration building, system monitoring, and troubleshooting without requiring CLI expertise.

Indicators of Compromise
To check for potential compromise, perform the following checks:

Review system logs for specific log messages indicating unauthorized access or unknown usernames.

Check for unfamiliar filenames in system logs.

Utilize the provided command to detect the presence of the implant.

Additionally, specific Snort rules are available to identify exploitation.

There are no workarounds available for these vulnerabilities. Disabling the HTTP Server feature is a recommended mitigation until affected devices can be upgraded.

For those using both HTTP and HTTPS servers, both commands are necessary to disable the HTTP Server feature. Limiting access to trusted networks can also reduce exposure to these vulnerabilities.

While this mitigation has been tested successfully, customers are advised to evaluate its applicability and impact on their own environment before implementation.

Fixed Software
Cisco has released free software updates to address the vulnerabilities outlined in this advisory. Customers with service contracts entitling them to regular software updates should obtain security fixes through their usual channels.

For customers without service contracts, obtaining upgrades is available through the Cisco TAC. Provide the product serial number and the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
Customers are advised to upgrade to the appropriate fixed software release, as specified in the provided table.

Cisco strongly advises customers to disable the HTTP Server feature on all internet-facing systems or restrict access to trusted source addresses. The decision tree provided can assist in determining appropriate actions for a given environment.

For environments running IOS XE with configured HTTP servers, implementing access controls to restrict access from untrusted hosts and networks is an effective mitigation.

Review and potentially adjust access controls cautiously, considering potential impacts on production services. Save any implemented changes to the running configuration to prevent reversion upon system reload.

Exploitation and Public Announcements
Cisco is actively aware of ongoing exploitation of these vulnerabilities.

These vulnerabilities were discovered during the resolution of multiple Cisco TAC support cases.