Executive Summary
CVE-2023-20273 is a critical vulnerability identified in the web UI feature of Cisco IOS XE Software. This vulnerability allows an authenticated, remote attacker to inject commands with root privileges due to insufficient input validation. The flaw can be exploited by sending crafted input to the web UI, leading to potential full system compromise. This vulnerability has been actively exploited in the wild, posing significant risks to organizations using the affected software versions. Immediate action is required to patch the affected systems and implement additional security measures to mitigate potential exploitation.
Technical Information
CVE-2023-20273 is a critical security flaw in the web UI feature of Cisco IOS XE Software. The vulnerability arises from insufficient input validation, which allows an authenticated, remote attacker to inject commands with root privileges. This can lead to a full system compromise, enabling the attacker to execute arbitrary commands and potentially take control of the affected device.
The vulnerability is identified by the following details: - CVE ID: CVE-2023-20273 - Description: Insufficient input validation in the web UI feature of Cisco IOS XE Software. - Impact: Allows authenticated, remote attackers to inject commands with root privileges. - Affected Software: Cisco IOS XE Software with the web UI feature enabled. - Exploitability: High, as it requires only authenticated access to the web UI.
The affected versions of Cisco IOS XE Software include: - 17.9: Fixed in 17.9.4a - 17.6: Fixed in 17.6.6a - 17.3: Fixed in 17.3.8a - 16.12 (Catalyst 3650 and 3850 only): Fixed in 16.12.10a
The vulnerability can be exploited by sending specially crafted input to the web UI, which bypasses the insufficient input validation checks and allows the attacker to execute commands with root privileges. This can lead to a full system compromise, enabling the attacker to execute arbitrary commands and potentially take control of the affected device.
Exploitation in the Wild
According to multiple sources, including Cisco's public advisory and Rapid7, there have been active exploitations of this vulnerability in the wild. Attackers have been observed leveraging this flaw to gain root access and execute arbitrary commands on affected systems. The exploitation process involves gaining initial access through another vulnerability, CVE-2023-20198, which allows the attacker to create a local user account with administrative privileges. The attacker then uses this account to exploit CVE-2023-20273, enabling command injection with root privileges.
The attackers have been observed deploying an implant named "BadCandy," which is a Lua-based web shell. This implant allows the execution of arbitrary commands on the compromised device. The implant is not persistent, meaning it is removed upon a system reboot, but the created user accounts remain active.
APT Groups using this vulnerability
As of the latest reports, no specific APT groups have been attributed to the exploitation of this vulnerability. However, the active exploitation in the wild indicates that various threat actors are leveraging this flaw to compromise affected systems.
Affected Product Versions
The following Cisco IOS XE Software versions are affected if the web UI feature is enabled: - 17.9: Fixed in 17.9.4a - 17.6: Fixed in 17.6.6a - 17.3: Fixed in 17.3.8a - 16.12 (Catalyst 3650 and 3850 only): Fixed in 16.12.10a
Workaround and Mitigation
To mitigate the risks associated with CVE-2023-20273, organizations should take the following steps:
- Patch Deployment: Apply the latest patches provided by Cisco to address this vulnerability. The fixed versions are 17.9.4a, 17.6.6a, 17.3.8a, and 16.12.10a for the respective affected versions.
- Disable Web UI: If the web UI feature is not necessary, disable it to reduce the attack surface. This can be done through the device's configuration settings.
- Monitor Network Traffic: Implement network monitoring to detect unusual activities related to the IoCs mentioned above. This includes monitoring for suspicious IP addresses, usernames, and file paths.
- Access Control: Restrict access to the web UI to trusted IP addresses and enforce strong authentication mechanisms. This can help prevent unauthorized access to the web UI.
References
- NVD: CVE-2023-20273 Detail - NVD (https://nvd.nist.gov/vuln/detail/CVE-2023-20273)
- Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z)
- Recorded Future: CVE-2023-20273 Description, Impact and Technical Details (https://www.recordedfuture.com/vulnerability-database/CVE-2023-20273)
- IBM: Cisco IOS XE Software (CVE-2023-20198 & CVE-2023-20273) (https://www.ibm.com/docs/en/randori?topic=2023-cisco-ios-xe-software-cve-20198-cve-20273)
- Rapid7: Active Exploitation of Cisco IOS XE Zero-Day Vulnerability (https://www.rapid7.com/blog/post/2023/10/17/etr-cve-2023-20198-active-exploitation-of-cisco-ios-xe-zero-day-vulnerability/)
- Talos Intelligence: Active Exploitation of Cisco IOS XE Software Web Management User Interface Vulnerabilities (https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/)
Rescana is here for you
At Rescana, we understand the critical importance of safeguarding your systems against emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you stay ahead of vulnerabilities like CVE-2023-20273. By continuously monitoring your environment and providing actionable insights, we enable you to proactively address potential risks and enhance your cybersecurity posture. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.
Comments