CVE-2023-20198 & CVE-2023-20273

2024-04-23
11 minutes
Leo Duntze
Share:  
CVE 

Table of contents

Introduction

On October 16th, 2023, Cisco disclosed a critical zero-day vulnerability regarding their WebUI feature for the IOS XE software. Cisco stated that this vulnerability was ongoingly being exploited at the time of the report, with attacks reaching back as early as September 18th , 2023. The vulnerability identified as CVE-2023-20198 received the highest CVSS score of 10.0, rating it as ‘critical’. This is mainly due to the fact that there are a lot of publicly reachable devices with this vulnerability on the internet, but also because of the consequences of successful exploitation. When executed successfully, the attacker gains level 15 privilege access to the device with just a simple web request. This allows the adversary to create a local user account with normal user access without having to provide any sort of authentication. This vulnerability affects both physical and virtual devices running Cisco’s ISO XE software that also have the HTTP or HTTPS server feature enabled.

Four days later, on October 20th, 2023, Cisco proceeded to announce another zero-day vulnerability: CVE-2023-20273, with a CVSS score of 7.2, rating it as ‘high’. This vulnerability lies in another component of the WebUI feature, allowing the attacker to inject arbitrary commands at the system level with root privileges. Attackers would leverage CVE-2023-20273 in combination with CVE-2023-20198 to write an implant into the filesystem of the affected device.

Presenting the attack

Before explaining how an attacker can successfully exploit the CVE-2023-20198 vulnerability, we first need to present the functionality of Cisco’s Web Services Management Agent (WMSA). The WMSA allows an “authenticated” user to execute commands and configure the system, e.g., by creating a local user with privilege level 15 access.

CLI command to create a local user with privilege level 15 access: 

username <user> privilege 15 secret <password>

So, in order to successfully exploit CVE-2023-20198, an adversary needs to format a special web request. This can be achieved by encoding characters in the original web request, also known as bad path parsing. Such a web request is shown in Figure 1 (image credit HORIZON3).

Figure 1 Malicious web request successfully encoding: ‘webui_wsma_http’

 The request in Figure 1 creates a new user with the username ‘baduser’ and the password ‘badpassword’. The created account is persistent, meaning that a restart of the system does not remove the account. Common usernames used by the adversaries are:
‘cisco_tac_admin’, ‘cisco_support’, or ‘cisco_sys_manager’, all in an attempt to remain undetected. This proof of concept was first presented
here by the researcher group HORIZON3.ai after SECUINFRA captured an active attack on their
honeypot systems.

Attackers then would use the created account to “legitimately” log in to the system and proceed with the exploitation of CVE-2023-20273. This exploitation is more advanced, so for deeper insights, please refer to this blog post.

Due to a bug in the validating conditions, the only requirement for the IPv6 field is to contain three fields delimited by ‘:’. This would eventually allow an attacker to place an implant in the ‘/usr/binos/conf/nginx-conf/cisco_service.conf’ directory. Ultimately, the attacker has to restart the webserver; otherwise, the configuration changes, and thus the implant will never become active.

Analysis of the implant showed that it is written in the LUA scripting language. It is not persistent, meaning that a reboot of the system will remove it. What remains persistent are the newly created user accounts; even after several reboots of the system they could be observed. To date, there have been two versions of the implant spotted in the wild. Causing temporary confusion. When the number of affected devices worldwide with this implant plummeted from over 50,000 to under 1,000. Shortly afterwards, the second version of the implant was discovered. This was when it became evident that in the meantime, most of the devices updated to the second version of the implant, explaining this sudden drop.

Impact

The Common Vulnerability Scoring System (CVSS for short) rated the CVE-2023-20198 with the highest possible score of 10.0, classifying this vulnerability as ‘critical’. This is mainly due to the large number of public, vulnerable devices.

Figure 2 List of vulnerable devices worldwide. Source Senthorus

Even though it is hard to get an exact number of globally affected devices, a quick search on the platform Shodan.io:

query: ‘http.html_hash:1076109428’

shows that there are more than 150,000 vulnerable devices worldwide. With the US leading this list. Switzerland ranks on place 77, with 263 devices affected.

In the US, many devices are from communications providers such as Verizon, Cox Communications, Frontier, AT&T, Spirit, Windstream, and Google Fiber.

Furthermore, medical centers, banks, and universities, among other industries.

CVE-2023-20273, allowing for a code injection, received a CVSS rating of 7.2, classifying it as ‘high’. This is due to the fact that an attacker first needs to gain control over an authenticated account for this exploitation to work. However, as shown before, the combination of CVE2023-20298 and CVE-2023-20273 allows for a very impactful attack.

Defending against CVE-2023-20198 and CVE-2023-20273?

How to check for the implant on a device inside the network

There are multiple ways to check for the malicious implant on compromised Cisco IOS XE devices. An administrator could run the following command on the device: 

curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"

where ‘DEVICEIP‘ has to be replaced with the device’s IP address. If the request returns a hexadecimal string, then the implant is present. However, the above command checks only for the first version of the implant. The command for checking the second version of the implant is:

curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST https://DEVICEIP/webui/logoutconfirm.html?logon_hash=1

Another way to detect affected devices is by running this Python script, released by CERT Orange Cyberdefense.

How to mitigate the vulnerability?

Cisco is currently rolling out patches for the different versions of the IOS XE software. It is recommended to check here (under the Fixed Releases tab) for which versions a patch is already available. If a patch exists, it then can be downloaded from Cisco’s official downloads page. The following decision tree can be used to assist the process:

Figure 3 Decision tree proposed by Cisco

The research group HORIZON3 analyzed the patch and commented: “Cisco’s method for fixing this vulnerability seems a bit unconventional. We would have expected them to fix the path parsing vulnerability instead of adding a new header. This makes us wonder if there are other hidden endpoints that can be reached with this method.” (Source HORIZON3.ai)

Aside from patching the system as soon as possible, it is also recommended to disable the WebUI feature. This can be done by executing the following commands in the global configuration mode:

no ip http server
no ip http secure-server

The command usage depends on what features of the WebUI are enabled.

Another valuable workaround is to limit access to the HTTP server to the trusted 192.168.0.0/24 network. This can be done via:

!
ip http access-class 75
ip http secure-server
!
access-list 75 permit 192.168.0.0 0.0.0.255
access-list 75 deny any
!

Note: To apply the access list in newer versions of Cisco IOS XE Software, use the following command for the previous example:

ip http access-class ipv4 75

Cisco points out that these workarounds work in their designated testing environment.
However, clients are advised to check for applicability in their own infrastructure.

Indicators of Compromise (IOCs)

In this section, we will present Indicators of Compromise that could be observed during an attack. For a more detailed explanation, please refer to the Cisco advisory.

  • System Logs:
    Check the system logs for suspicious usernames ('cisco_tac_admin’, or ’cisco_support’), or any other recently created user that is unknown to the network.
    Check the system logs for an installation process where the source filename is unknown or is not related to the expected action.
  • Snort/ Suricata rules:
    Cisco recommends following Snort rule IDs for detection:
    • 3:50118 - alerts for initial implant injection (CVE-2023-20273)
    • 3:62527 - alerts for implant interaction
    • 3:62528 - alerts for implant interaction
    • 3:62529 - alerts for implant interaction
    • 3:62541 - alerts on attempted exploitation for initial access (CVE-2023-20198)
    • 3:62542 - alerts on attempted exploitation for initial access (CVE-2023-20198)
  • IP Addresses:
    The following IPs are said to carry out attacks:
    • 5.149.249[.]74
    • 154.53.56[.]231
    • 154.53.63[.]93

Summary

CVE-2023-20198 and CVE-2023-20273 have shown how impactful zero-day attacks are. It became once again evident how important attack surface reduction is. A lot of devices could have been protected from this attack by disabling the HTTP/HTTPS feature. In cases where this is not possible, it would have been best practice to limit access to the WebUI feature only to trusted networks.

Further, these vulnerabilities pointed out the importance of input validation. Interestingly, Cisco’s approach to fixing this vulnerability is not to fix the path parsing vulnerability. Instead, a new header was added to enforce authentication. This leads to the suspicion that there are other hidden endpoints that can be reached with this method. Only time will prove if that really is the case. In the meantime, it is best to constantly monitor your network and your devices while applying cybersecurity best practices, such as ensuring authentication or attack surface reduction.

References

 

The author

Leo Duntze
SOC Analyst L1 at Senthorus
Leo Duntze is passionate about Cybersecurity.


Superpowers