Unpatched Zero-Day Being Exploited in the Wild, Cisco WarnsNo Patch Available; Thousands Infected by IOS Software XE Web User Interface Flaw
Cisco on Monday asked customers to urgently disable the HTTP Server feature on internet-facing systems that was discovered to have a critical vulnerability in its modular operating system's web interface.
Hackers exploited the IOS XE software web user interface feature to gain administrator-level privileges, effectively taking complete control of compromised devices, Cisco Talos said in a threat advisory.
Cisco's Web UI feature is designed to simplify deployment and user experience. It helps to build system configurations as well as monitor and troubleshoot the system without command-line interface expertise.
The flaw, tracked as CVE-2023-20198, is a privilege escalation bug that can be exploited on internet-facing or untrusted networks, Cisco said in its separate advisory. Both physical and virtual devices running Cisco IOS XE software that have the HTTP or HTTPS Server feature enabled are vulnerable to hacking. No patch is available - momentarily - for this maximum CVSS-rated bug.
Until a patch is released, Cisco's response is straightforward: Customers are advised to disable the HTTP Server feature on internet-facing systems. This advice aligns with previous guidance from the U.S. Cybersecurity and Infrastructure Security Agency on mitigating risks from internet-exposed management interfaces.
A search on ZoomEye, an internet of things scanner, identified more than 463,000 Cisco IOS XE Web UIs that are currently live. Simo Kohonen, founder of cybersecurity companies Aves Netsec and Defused Cyber, also shared his Shodan search results on X, stating: "Just a small handful of Cisco IOS XE WebUIs live currently ... CVE-2023-20198 is a big one."
Considering the widespread adoption and usage of the Web UI feature, CISA and other cybersecurity agencies worldwide also issued warnings for the vulnerability.
The flaw came to light during the resolution of multiple support cases involving hacked customers. Suspicious activity was detected on Sept. 18, and the first case was reported on Sept. 28. Cisco's Talos Incident Response teams noticed more activity recently, prompting the release of a critical advisory on Monday.
Cisco believes the clusters of activity are likely connected and possibly the work of a single actor. The initial cluster in September appeared to be a test, while the October activity indicates an expansion of operations.
Cisco Talos' analysis also found that after initial exploitation of the new vulnerability, the hackers turned to an older bug, CVE-2021-1435, to install an implant on compromised devices.
The implant is stored at
/usr/binos/conf/nginx-conf/cisco_service.conf, with two variable strings composed of hexadecimal characters. This implant is not persistent and gets removed upon device reboot. But the newly created local user accounts persist across reboots granting them level 15 privileges - essentially, full administrator access.
Cisco shared a simple technique to determine if an IOS XE device has an active implant on it. The implant responds with an 18-character hexadecimal string when a specific HTTP POST is sent to the system:
$ curl -X POST http://192.168.1.1/webui/logoutconfirm.html?logon_hash=11a80b7389ccd0a5dab.
Vulnerability patch management company VulnCheck performed an internet scan and found thousands of implanted hosts. "Cisco buried the lede by not mentioning thousands of internet-facing IOS XE systems have been implanted," said Jacob Baines, VulnCheck's chief technical officer. "This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks and perform any number of man-in-the-middle attacks."
Cisco advised users of products containing this vulnerable software to watch for unexplained or newly created users on devices that might signal malicious activity.
This is the second zero-day advisory from Cisco this month related to IOS XE targeting. The earlier vulnerability - also a privilege escalation bug, tracked as CVE-2023-20109 - allowed attackers to execute arbitrary code if they already had access to a GET VPN group member router or to the key server (see: Breach Roundup: Still Too Much ICS Exposed on the Internet).