{"id":129707,"date":"2023-11-02T17:01:53","date_gmt":"2023-11-02T21:01:53","guid":{"rendered":"https:\/\/rbach.net\/?p=129707"},"modified":"2023-11-02T17:04:47","modified_gmt":"2023-11-02T21:04:47","slug":"whats-up-with-the-cisco-xe-vulnerability","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/whats-up-with-the-cisco-xe-vulnerability\/","title":{"rendered":"What&#8217;s Up with the Cisco XE Vulnerability"},"content":{"rendered":"\r\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-129753 size-medium\" title=\"What's Up with the Cisco XE Vulnerability\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/25b616da-1adc-4e08-a184-e26dada70452-e1698529214242-150x143.jpg?resize=150%2C143&#038;ssl=1\" alt=\"What's Up with the Cisco XE Vulnerability\" width=\"150\" height=\"143\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/25b616da-1adc-4e08-a184-e26dada70452-e1698529214242.jpg?resize=150%2C143&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/25b616da-1adc-4e08-a184-e26dada70452-e1698529214242.jpg?resize=75%2C72&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/25b616da-1adc-4e08-a184-e26dada70452-e1698529214242.jpg?resize=768%2C734&amp;ssl=1 768w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/25b616da-1adc-4e08-a184-e26dada70452-e1698529214242.jpg?w=892&amp;ssl=1 892w\" sizes=\"auto, (max-width: 150px) 100vw, 150px\" \/>If you are using <a href=\"http:\/\/www.cisco.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Cisco<\/a>\u00a0(<a href=\"https:\/\/www.tradingview.com\/symbols\/NASDAQ-CSCO\/\" target=\"_blank\" rel=\"noopener noreferrer\">CSCO<\/a>) <strong>switches or routers<\/strong> that run on <a title=\"Cisco IOS XE\" href=\"https:\/\/www.cisco.com\/c\/en\/us\/products\/ios-nx-os-software\/ios-xe\/index.html\" target=\"_blank\" rel=\"nofollow noopener\">IOS XE<\/a> software, you may be at risk of a<strong> serious security breach<\/strong>. A vulnerability (<a title=\"CVE-2023-20198 Detail\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20198\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2023-20198<\/a>) affecting the web user interface (UI) of <strong>IOS XE<\/strong> software has been <strong>actively exploited<\/strong> by cyber threat actors to take control of affected devices. This <a title=\"CISA Updates Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities\" href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2023\/10\/23\/cisa-updates-guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities\" target=\"_blank\" rel=\"nofollow noopener\">vulnerability<\/a> allows an attacker to <strong>send malicious HTTP requests<\/strong> to the web UI and execute arbitrary commands with <strong>elevated privileges<\/strong>.<\/p>\r\n<h3>What is the Cisco IOS XE Vulnerability?<\/h3>\r\n<p><a href=\"https:\/\/www.cisco.com\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-115140\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/cisco_logo-4-1.jpg?resize=100%2C61&#038;ssl=1\" alt=\"\" width=\"100\" height=\"61\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/cisco_logo-4-1.jpg?resize=75%2C46&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/cisco_logo-4-1.jpg?w=136&amp;ssl=1 136w\" sizes=\"auto, (max-width: 100px) 100vw, 100px\" \/><\/a>The <a title=\"Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature\" href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-iosxe-webui-privesc-j22SaA4z\" target=\"_blank\" rel=\"nofollow noopener\">Cisco IOS XE vulnerability<\/a> is a command injection vulnerability that affects the web UI feature of IOS XE software. <a title=\"CERT Orange Cyberdefense\" href=\"https:\/\/www.orangecyberdefense.com\/global\/\" target=\"_blank\" rel=\"nofollow noopener\">CERT Orange Cyberdefense<\/a> <a title=\"CERT Orange Cyberdefense\" href=\"https:\/\/twitter.com\/CERTCyberdef\/status\/1714567941184749609\" target=\"_blank\" rel=\"nofollow noopener\">discovered<\/a> more than 34,500 IOS XE IPs compromised by the<strong> 10\/10 vulnerability<\/strong>. The web UI is a web-based management interface that allows users to configure and monitor Cisco devices through a<strong> web browser<\/strong>. Cisco&#8217;s web UI feature is <strong>enabled by default on the base image<\/strong> and can be enabled or disabled through the command-line interface (CLI).<\/p>\r\n<p>The vulnerability exists because the web UI does not properly validate the user input in the HTTP requests. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the web UI that contain <strong>malicious commands<\/strong>. These commands are then executed with <strong>root privileges<\/strong> on the underlying operating system. Root grants the attacker <strong>full control over the device<\/strong>.<\/p>\r\n<p>The attacker does not need to authenticate to the web UI to exploit this vulnerability. What they need is access to the web UI through the network. This means that <strong>any device<\/strong> that has the web UI exposed to the internet or an untrusted network is vulnerable.<\/p>\r\n<h3>How Can This Vulnerability Impact Your Network?<\/h3>\r\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-116375\" title=\"Data theft\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/data_theft2-9-e1643394085126-150x108.jpg?resize=126%2C90&#038;ssl=1\" alt=\"Data theft\" width=\"126\" height=\"90\" \/>The impact of this vulnerability depends on the role and configuration of the device in your network. An attacker who gains control of a Cisco device can use it to perform various <strong>malicious actions<\/strong>, such as:<\/p>\r\n<ul>\r\n<li>Modify or delete the device configuration.<\/li>\r\n<li>Install malware or backdoors on the device.<\/li>\r\n<li>Redirect or intercept network traffic.<\/li>\r\n<li>Launch attacks against other devices or networks.<\/li>\r\n<li>Exfiltrate sensitive data from the device or network.<\/li>\r\n<\/ul>\r\n<p>Depending on the device type and location, these actions can have serious consequences for your network. For example, an attacker who compromises a core switch or router can disrupt or manipulate the network traffic for a large segment of your network, <strong>affecting multiple services and users.<\/strong><\/p>\r\n<h3>What Can You Do to Mitigate the Risk?<\/h3>\r\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-123320\" title=\"What Can You Do to Mitigate the Risk?\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/patching-1.jpg?resize=125%2C76&#038;ssl=1\" alt=\"What Can You Do to Mitigate the Risk?\" width=\"125\" height=\"76\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/patching-1.jpg?resize=150%2C91&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/patching-1.jpg?resize=1024%2C624&amp;ssl=1 1024w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/patching-1.jpg?resize=75%2C46&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/patching-1.jpg?resize=768%2C468&amp;ssl=1 768w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/patching-1.jpg?w=1187&amp;ssl=1 1187w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/patching-1.jpg?w=960&amp;ssl=1 960w\" sizes=\"auto, (max-width: 125px) 100vw, 125px\" \/>Cisco has released a <strong>patch<\/strong> for this vulnerability. However, Cisco has not patched some versions of IOS XE software. You can check if your device is affected and if there is a fixed version available by visiting the <a title=\"Cisco Security Advisory page\" href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/publicationListing.x\" target=\"_blank\" rel=\"nofollow noopener\">Cisco Security Advisory page<\/a>. If there is a fixed version for your device, you should apply it as soon as possible.<br \/><br \/>However, if there is no fixed version for your device yet, or if you cannot apply it immediately, you should take some a<strong>dditional steps to protect your network<\/strong> from this vulnerability. Here are some recommendations:<\/p>\r\n<ul>\r\n<li><strong>Disable the web UI<\/strong> feature on your device if you do not need it. You can do this by using the `no ip http server` and `no ip http secure-server` commands in the CLI.<\/li>\r\n<li><strong>Restrict access<\/strong> to the web UI feature by using access control lists (ACLs) or firewall rules. You should only allow trusted IP addresses or networks to access the web UI. You should also block any unauthorized or external access.<\/li>\r\n<li><strong>Monitor<\/strong> your network for any suspicious activity. You should use network security tools such as intrusion detection systems (IDS), intrusion prevention systems (IPS), or security information and event management (SIEM) systems to detect and respond to any potential attacks.<\/li>\r\n<li><strong>Report<\/strong> any information or evidence related to this vulnerability with CISA and Cisco to help them investigate and mitigate this threat.<\/li>\r\n<\/ul>\r\n<h3>How Can You Check If Your Device Is Affected?<\/h3>\r\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-129754\" title=\"How Can You Check If Your Device Is Affected?\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/c624ae9e-4cd4-45ea-a06f-81722de2cf13.jpg?resize=125%2C125&#038;ssl=1\" alt=\"How Can You Check If Your Device Is Affected?\" width=\"125\" height=\"125\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/c624ae9e-4cd4-45ea-a06f-81722de2cf13.jpg?resize=150%2C150&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/c624ae9e-4cd4-45ea-a06f-81722de2cf13.jpg?resize=75%2C75&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/c624ae9e-4cd4-45ea-a06f-81722de2cf13.jpg?resize=768%2C768&amp;ssl=1 768w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/c624ae9e-4cd4-45ea-a06f-81722de2cf13.jpg?w=1024&amp;ssl=1 1024w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/c624ae9e-4cd4-45ea-a06f-81722de2cf13.jpg?w=960&amp;ssl=1 960w\" sizes=\"auto, (max-width: 125px) 100vw, 125px\" \/>To <a title=\"Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities\" href=\"https:\/\/blog.talosintelligence.com\/active-exploitation-of-cisco-ios-xe-software\/\" target=\"_blank\" rel=\"nofollow noopener\">check if your device<\/a> is affected by this vulnerability, you need to verify two things: the version of IOS XE software running on your device, and the status of the web UI feature on your device.<\/p>\r\n<p><strong>Check the version. <\/strong>Check the version of IOS XE software running on your device by using the `show version` command in the CLI. You should compare the output with the list of affected and fixed versions provided by Cisco in the security advisory.<\/p>\r\n<p>Check the <strong>status of the web UI. <\/strong>To do this you use the `show ip http server status` and `show ip http secure-server status` commands in the CLI. You should look for any output that indicates that the web UI feature is enabled or listening on any port.<\/p>\r\n<p>If your device is running an affected version of IOS XE software and has the web UI feature enabled, you should consider it vulnerable and take immediate action to <strong>protect it<\/strong>.<\/p>\r\n<h3>The vulnerability is evolving<\/h3>\r\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-129755\" title=\"The vulnerability is evolving\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/31b2d032-e3a4-4df7-8efe-25ecbd53080d-e1698529540883-150x128.jpg?resize=99%2C85&#038;ssl=1\" alt=\"The vulnerability is evolving\" width=\"99\" height=\"85\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/31b2d032-e3a4-4df7-8efe-25ecbd53080d-e1698529540883.jpg?resize=150%2C128&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/31b2d032-e3a4-4df7-8efe-25ecbd53080d-e1698529540883.jpg?resize=75%2C64&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/31b2d032-e3a4-4df7-8efe-25ecbd53080d-e1698529540883.jpg?resize=768%2C656&amp;ssl=1 768w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/31b2d032-e3a4-4df7-8efe-25ecbd53080d-e1698529540883.jpg?w=1024&amp;ssl=1 1024w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/31b2d032-e3a4-4df7-8efe-25ecbd53080d-e1698529540883.jpg?w=960&amp;ssl=1 960w\" sizes=\"auto, (max-width: 99px) 100vw, 99px\" \/>On 10\/18\/2023 threat intelligencer <a href=\"https:\/\/censys.com\/\" target=\"_blank\" rel=\"nofollow noopener\">Censys<\/a>\u00a0<a title=\"CVE-2023-20198 \u2013 Cisco IOS-XE ZeroDay\" href=\"https:\/\/censys.com\/cve-2023-20198-cisco-ios-xe-zeroday\/\" target=\"_blank\" rel=\"nofollow noopener\">found<\/a> over <strong>40,000<\/strong> vulnerable devices. On 10\/21\/2023 <a title=\"ONYPHE\" href=\"https:\/\/www.onyphe.io\/\" target=\"_blank\" rel=\"nofollow noopener\">ONYPHE<\/a> <a href=\"https:\/\/twitter.com\/onyphe\/status\/1715633541264900217\" target=\"_blank\" rel=\"nofollow noopener\">said<\/a> its scanning found <strong>1,214<\/strong> unique compromised IP addresses. That is a<strong> 97% decrease<\/strong> nearly overnight. There are number of possible explanations for the rapid decline. Some have argued that the attach is <strong>evolving<\/strong>. CERT Orange Cyberdefense <a href=\"https:\/\/blog.talosintelligence.com\/active-exploitation-of-cisco-ios-xe-software\/\" target=\"_blank\" rel=\"noreferrer noopener\" data-feathr-click-track=\"true\" data-feathr-link-aids=\"[&quot;60071024bdb3f8d0470da8d6&quot;]\">speculated<\/a> it is \u201c<em>a potential trace cleaning step is underway [by the threat actor] to hide the implant.&#8221;<\/em><\/p>\r\n<h3><em>rb-<\/em><\/h3>\r\n<p><em>The Cisco IOS XE vulnerability is a serious security issue that affects many Cisco devices running on IOS XE software. You should patch your device as soon as possible because the attacker are evolving the exploit. The ability to hide the exploit will make this a long-term problem on many networks.<\/em><\/p>\r\n<p>&nbsp;<\/p>\r\n<p style=\"text-align: center;\"><em><strong><a title=\"How You Can Help the People of Ukraine\" href=\"https:\/\/www.obama.org\/updates\/help-ukraine\/\" target=\"_blank\" rel=\"nofollow noopener\">How you can help Ukraine!<\/a><\/strong><\/em><\/p>\r\n<p><strong>Related article<\/strong><\/p>\r\n<ul>\r\n<li><a title=\"Exploit released for critical Cisco IOS XE flaw, many hosts still hacked\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/exploit-released-for-critical-cisco-ios-xe-flaw-many-hosts-still-hacked\/\" target=\"_blank\" rel=\"nofollow noopener\">Exploit released for critical Cisco IOS XE flaw, many hosts still hacked<\/a>\u00a0(<a title=\"Bleeping Computer\" href=\"https:\/\/www.bleepingcomputer.com\/\" target=\"_blank\" rel=\"nofollow noopener\">Bleeping Computer<\/a>)<\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<p><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a>\u00a0about IT, careers, and anything else that catches his attention since 2005. You can follow him on\u00a0<a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>,\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>The Cisco IOS XE vulnerability is evolving the ability to hide and will become a long-term problem on many networks.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[3652,247,2478,1135,3717],"class_list":["post-129707","post","type-post","status-publish","format-standard","hentry","tag-3652","tag-cisco","tag-exploit","tag-ios","tag-patch"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/129707","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=129707"}],"version-history":[{"count":13,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/129707\/revisions"}],"predecessor-version":[{"id":129780,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/129707\/revisions\/129780"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=129707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=129707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=129707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}