Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities
Summary
Note: CISA will continue to update this webpage as we have further guidance to impart.
CISA and its partners are responding to active, widespread exploitation of two vulnerabilities, CVE-2023-20198 and CVE-2023-20273, affecting Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI). Cisco's IOS XE Web UI is a system management tool for IOS XE, which is a network operating system for use on various Cisco products. An unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system. Specifically, these vulnerabilities allow the actor to create a privileged account that provides complete control over the device.
Organizations running IOS XE Web UI should immediately implement the mitigations outlined in Cisco's Security Advisory, Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature, which include disabling the HTTP Server feature on internet-facing systems, and hunt for malicious activity on their network. According to the Cisco Talos blog, Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities, "Organizations should look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat." See the Talos blog for specific detection methods.
(Updated Nov. 1, 2023)
Note: See Cisco's Software Fix Availability for Cisco IOS XE Software Web UI Privilege Escalation Vulnerability - CVE-2023-20198 for a comprehensive list of available software fixes. The list includes fixed IOS XE software releases, including for 17.9, 17.6, 17.3 and 16.12 as well as available Software Maintenance Upgrades (SMUs).
(End of Update)
Technical Details
CVE-2023-20198 is a privilege escalation vulnerability in the web UI feature of Cisco's IOS XE software affecting both physical and virtual devices that have the HTTP or HTTPS Server feature enabled. Exploitation of this vulnerability allows an actor to gain full administrative privileges and unauthorized access into affected systems. After obtaining the privileged account, the actor can then create a local user account with normal privileges to exploit another IOS XE Web UI vulnerability, CVE-2023-20273—a command Injection vulnerability—to inject commands with elevated (root) privileges, enabling the actor to run arbitrary commands on the device.
According to the Cisco Talos blog referenced above, a threat actor can:
- Exploit CVE-2023-20198 to obtain initial access and create a privileged account.
- Use the privileged account to create a local user account with normal privileges.
- Using the local user account, exploit another Cisco IOS XE Web UI vulnerability—CVE-2023-20273—to inject commands with elevated (root) privileges, which enables the actor to run arbitrary commands on the device.
Actions for Organizations Running Cisco IOS XE Web UI
CISA urges organizations running Cisco IOS XE Web UI to immediately implement the mitigations outlined in Cisco's Security Advisory, which include disabling the HTTP Server feature on internet-facing systems, and hunt for malicious activity on their network. Note: CISA will add to these mitigations as more information becomes available.
(Updated Nov. 1, 2023)
Organizations should upgrade to an appropriate fixed software release as indicated in the following table:
Cisco IOS XE Software Release Train | First Fixed Release | Available |
17.9 | 17.9.4a | Yes |
17.6 | 17.6.6a | Yes |
17.3 | 17.3.8a | Yes |
16.12 (Catalyst 3650 and 3850 only) | 16.12.10a | Yes |
Note: See Cisco's Security Advisory, Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature, for additional details as well as available Software Maintenance Upgrades (SMUs). Also, see Cisco's Software Fix Availability for Cisco IOS XE Software Web UI Privilege Escalation Vulnerability - CVE-2023-20198 for a comprehensive list of fixed software releases and SMUs.
(End of Update)
Resources
This information is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below.
Mitigation Guidance
- Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
- Cisco Talos Blog: Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
Additional Resources
- CISA BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interface
- Palo Alto Networks: Cisco IOS XE Web UI Privilege Escalation Vulnerability
- Proofpoint Emerging Threats Signatures: Ruleset Update Summary - 2023/10/17 - v10443
- GreyNoise: Unpacking CVE-2023-20198 - A Critical Weakness in Cisco IOS XE