In the implementation of the web interface used on physical and virtual Cisco devices equipped with the Cisco IOS XE operating system, a critical vulnerability (CVE-2023-20198) has been identified, which allows, without authentication, full access to the system with the maximum level of privileges, if you have access to network port through which the web interface operates. The danger of the problem is aggravated by the fact that attackers have been using the unpatched vulnerability for a month to create additional accounts “cisco_tac_admin” and “cisco_support” with administrator rights, and to automatically place an implant on devices that provides remote access to execute commands on the device.
Despite the fact that to ensure the proper level of security, it is recommended to open access to the web interface only to selected hosts or the local network, many administrators leave the option of connecting from the global network. In particular, according to the Shodan service, there are currently more than 140 thousand potentially vulnerable devices recorded on the global network. The CERT organization has already recorded about 35 thousand successfully attacked Cisco devices with a malicious implant installed.
Before publishing a fix that eliminates the vulnerability, as a workaround to block the problem, it is recommended to disable the HTTP and HTTPS server on the device using the commands “no ip http server” and “no ip http secure-server” in the console, or limit access to the web interface on the firewall. To check for the presence of a malicious implant, it is recommended to execute the request: curl -X POST http://IP-devices/webui/logoutconfirm.html?logon_hash=1 which, if compromised, will return an 18-character hash. You can also analyze the log on the device for extraneous connections and operations to install additional files. %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 05:41:11 UTC Wed Oct 17 2023 %WEBUI -6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename
In case of compromise, to remove the implant, simply reboot the device. Accounts created by the attacker are retained after a restart and must be deleted manually. The implant is located in the file /usr/binos/conf/nginx-conf/cisco_service.conf and includes 29 lines of code in the Lua language, providing execution of arbitrary commands at the system level or the Cisco IOS XE command interface in response to an HTTP request with a special set of parameters .
Source: opennet.ru