CVE-2023-20198:主动利用思科IOS XE零日漏洞

Last updated at Mon, 23 Oct 2023 16:39:32 GMT

On Monday, October 16, Cisco’s Talos group published a blog 利用CVE-2023-20198的活跃威胁活动, 思科IOS XE软件的web UI组件中存在一个“以前未知的”零日漏洞. IOS XE is an operating system that runs on a wide range of Cisco networking devices，包括路由器、交换机、无线控制器、接入点等. 成功利用CVE-2023-20198允许远程, unauthenticated attacker to create an account on an affected device and use that account to obtain full administrator privileges, 有效地实现对系统的完全接管.

在披露时(2023年10月17日)没有CVE-2023-20198的补丁。. Cisco has released fixed versions for a range of solutions as of October 22. As Cisco Talos noted in their blog, the vulnerability has been exploited in the wild, and there appeared to be a significant number of devices running IOS XE on the public internet as of October 17. 对运行IOS XE的互联网暴露设备的估计各不相同, 但攻击面面积似乎相对较大; one estimate puts the exposed device population at 140K+.

On October 20, Cisco updated their advisory on CVE-2023-20198 to reflect that the attack chain their team observed actually included two zero-day vulnerabilities, not just the one:

"The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. 这允许用户以正常的用户访问权限登录.

攻击者随后利用了web UI特性的另一个组件, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue.

CVE-2023-20198的CVSS评分为10分.0.
CVE-2023-20273的CVSS评分为7分.2.

CSCwh87343正在跟踪这两个cve."

Additional activity has included deployment of an implant that allows the attacker to execute arbitrary commands at the system level or IOS level. 思科对他们观察到的恶意行为有详尽的描述 here.

Affected products

Cisco’s CVE-2023-20198和CVE-2023-20273的公共咨询 says that Cisco IOS XE software is vulnerable if the web UI feature is enabled (the UI is enabled through the ip http server or ip http secure-server commands). 思科并没有提供一定运行IOS XE的pg电子，但他们的 product page for IOS XE 列出了一些，包括Catalyst、ASR和NCS系列.

According to the advisory, 客户可以确定系统是否启用了HTTP Server特性, by logging into the system and using the Show running-config | include IP HTTP server|secure|active 命令，检查是否存在 ip http server command or the ip http secure-server command in the global configuration. The presence of either command or both commands in the system configuration indicates that the web UI feature is enabled (and that the system is therefore vulnerable).

Cisco’s advisory also specifies that if the ip http server 命令，并且配置中还包含 ip http active-session-modules none, the vulnerability is not exploitable over HTTP. If the ip http secure-server 命令，并且配置中还包含 ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.

Mitigation guidance

As of October 22, Cisco has released fixed versions of IOS XE 修复CVE-2023-20198在其解决方案组合中的一系列平台(例如.g., SDWAN, various routers and switches). Organizations should disable the web UI (HTTP Server) component on internet-facing systems on an emergency basis before applying patches. Organizations should also reboot their devices.

To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. Per Cisco’s advisory，如果HTTP服务器和HTTPS服务器都在使用， both commands are required to disable the HTTP Server feature. Organizations should also avoid exposing the web UI and management services to the internet or to untrusted networks.

Disabling the web UI component of IOS XE systems and limiting internet exposure reduces risk from known attack vectors, but notably does not mitigate risk from implants that may have already been successfully deployed on vulnerable systems. Rapid7 recommends invoking incident response procedures where possible to prioritize hunting for indicators of compromise Cisco has shared, listed below.

Cisco-observed attacker behavior

The Cisco Talos blog on CVE-2023-21098 has a full analysis of the implant 他们被部署在威胁行动中. 我们强烈建议完整地阅读这份分析报告. The implant is saved under the file path /usr/binos/conf/nginx-conf/cisco_service.conf 它包含两个由十六进制字符组成的可变字符串. 虽然植入物不是持久的(设备重启会将其移除), the attacker-created local user accounts are.

思科观察到该威胁行为者利用了CVE-2021-1435, which was patched in 2021, 在获得易受CVE-2023-20198攻击的设备的访问权限后安装植入物. Talos also notes that they have seen devices fully patched against CVE-2021-1435 getting the implant successfully installed “through an as of yet undetermined mechanism.”

Rapid7-observed attacker behavior

Rapid7 MDR has so far identified a small number of instances where CVE-2023-20198 was exploited in customer environments, including multiple instances of exploitation within the same customer environment on the same day. The indicators of compromise our team has identified with available evidence indicate the use of techniques similar to those described by Cisco Talos.

Rapid7在我们的调查过程中发现了技术的变化. The first malicious activity performed on the system post-exploitation was associated with the admin account. The following is an excerpt from this log file:
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as admin on vty1
The threat actor created the local account cisco_support using the command 用户名cisco_support privilege 15 algorithm-type sha256 secret * under user context admin. 然后，威胁参与者使用新创建的密码对系统进行身份验证 cisco_support 帐户并开始运行几个命令，包括以下命令:

show running-config
show voice register global
show dial-peer voice summary
show platform
show flow monitor
show platform
show platform software iox-service
show iox-service
dir bootflash:
dir flash:
clear logging
no username cisco_support
no username cisco_tac_admin
no username cisco_sys_manager

在完成这些命令后，威胁参与者删除了该帐户 cisco_support. The accounts cisco_tac_admin and cisco_sys_manager were also deleted, but Rapid7 did not observe account creation commands associated with these accounts within available logs.

The threat actor also executed the clear logging 命令清除系统记录并掩盖他们的踪迹. Rapid7在10月12日发现了第二次开采的测井记录, 2023, 但无法查看第一次入侵的日志，因为日志已被清除.

证据表明，威胁参与者执行的最后一个操作与一个名为 aaa:
% web -6- install_operation_info:用户:cisco_support，安装操作:ADD aaa

对比10月12日在同一环境中发生的两次入侵, 在观察到的技术上有细微的差异. For example, 日志清理只在第一次利用中执行, 而第二次利用包括额外的目录查看命令.

Indicators of compromise

The Cisco Talos blog on CVE-2023-20198 directs organizations to look for unexplained or newly created users on devices running IOS XE. One way of identifying whether the implant observed by Talos is present is to run the following command against the device, 其中“DEVICEIP”部分是要检查的设备的IP地址的占位符:

curl -k -X POST "http[:]//DEVICEIP/web /logoutconfirm . curl.html?logon_hash=1"

The command above will execute a request to the device’s Web UI to see if the implant is present. If the request returns a hexadecimal string, the implant is present (note that the web server must have been restarted by the attacker after the implant was deployed for the implant to have become active). Per Cisco’s blog, the above check should use the HTTP scheme if the device is only configured for an insecure web interface.

Additional Cisco IOCs

• 5.149.249[.]74
• 154.53.56[.]231

Usernames:

• cisco_tac_admin
• cisco_support

Cisco Talos also advises performing the following checks to determine whether a device may have been compromised:

Check the system logs for the presence of any of the following log messages where “user” could be cisco_tac_admin, cisco_support 或网络管理员不知道的任何已配置的本地用户:

• %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line

• %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023

Note: The %SYS-5-CONFIG_P 消息将出现在用户访问web UI的每个实例中. 要查找的指示器是消息中出现的新用户名或未知用户名.

Organizations should also check the system logs for the following message where filename is an unknown filename that does not correlate with an expected file installation action:

• % web -6- install_operation_info: User: username, Install Operation: ADD filename

Rapid7 customers

As of October 17, InsightVM and Nexpose customers can assess their exposure to CVE-2023-20198 with an authenticated vulnerability check that looks for Cisco IOS XE devices with the web UI enabled. We expect to release an update to this check on October 24 to reflect fixed version availability.

InsightIDR and Rapid7 MDR customers have existing detection coverage through Rapid7's expansive library of detection rules. The following detection rules are deployed and alerting on activity related to this vulnerability via the IP addresses provided by Cisco:

• Network Flow - CURRENT_EVENTS Related IP Observed
• 可疑的连接-当前事件相关的IP观察

Updates

October 17, 2023: 更新了rapid7观察到的攻击者行为和ioc.

October 23, 2023: 更新以反映第二个零日漏洞CVE-2023-20273的披露. Also updated to note that Cisco has released a patch for CVE-2023-20198 across a number of affected platforms. Rapid7 expects to release an update to the vulnerability check for CVE-2023-20198 on October 24 to detect patched versions of IOS XE.