What happened?
A critical security flaw has been discovered in Cisco’s IOS Web UI, identified as CVE-2023-20198. This severe issue has been given the highest possible CVSS rating of 10, signaling the urgency for immediate action. The vulnerability enables external attackers, who do not need any form of authentication, to create new user accounts endowed with full administrative rights. Cisco has verified that this security gap has been actively exploited since at least September 18, 2023.
Who Needs to Worry About This?
If you’re running any version of Cisco IOS with the HTTP Server feature on—whether it’s a switch, router, or wireless LAN controller—you should pay attention. Especially if these devices have HTTP or HTTPS Server features open to the entire web, you’re in the target zone.
How Serious Is It, Really?
Okay, let’s not sugarcoat this. If someone exploits this vulnerability, they get the digital “keys to the kingdom.” They’ll be able to do anything an admin can do, like snooping on your network traffic or even infiltrating further into your network. Cisco’s seen some attackers even go as far as installing a nasty piece of software that lets them run malicious commands. It’s a big deal.
What Should You Do About It?
Cisco’s pretty clear on this: follow their security advisory, like, yesterday.
Right now, there’s no magic update to fix this, and there are no clever workarounds.
Are You Affected?
To figure out if you’re impacted, go to the command line interface of the device and run:
show running-config | include ip http server | secure | active
If it returns “ip http server” or “ip http secure-server” your HTTP Server feature is active and vulnerable.
Red Flags to Watch Out For
If you’ve got the HTTP Server feature on, here are some tell-tale signs you might have been compromised:
- Unusual activity from specific IP addresses like
5.149.249[.]74
154.53.56[.]231 - New local users you didn’t create—keep an eye out for usernames like ‘cisco_tac_admin’ or ‘cisco_support.’
- Check logs for unexpected logins or changes, especially if they trigger a %SYS-5-CONFIG_P message.
- Watch for system messages that look like %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename.
- Check systems for implants using the following commands, where SYSTEMIP is the IP address of the Cisco device to check, including:
- Systems configured to use HTTPS:
curl -k -X POST
“https://systemip/webui/logoutconfirm.html?logon_hash=1“ - Systems configured to use HTTP:
curl -k -X POST
“http://systemip/webui/logoutconfirm.html?logon_hash=1“
And finally, Cisco provides some commands you can run to check for malicious implants. You’ll know it’s bad news if you get a hexadecimal string back.
- Systems configured to use HTTPS:
Next Steps: Mitigation and Response
Here’s what you should do to tackle this issue:
- Turn off the HTTP Server feature on any device that’s exposed to the internet. You can do this using the
no ip http serverorno ip http secure-servercommands. - If you can’t disable the HTTP Server feature, at least lock it down. Use access lists to keep untrusted users and networks at bay. Cisco vouches for this as a solid interim fix.
- If you find an implant has been installed, rebooting the device will kill the connection. But beware, if the attacker’s account is still active, they could just come back and do it all over again.
So there you have it—stay safe and keep those devices secure!
Thank you,
Rappahannock IT