Oct 20, 2023 · 4 Min read

CVE-2023-20198

Active Exploitation of Cisco IOS XE Zero-Day Vulnerability

Post

DESCRIPTION

CVE-2023-20198 is a critical vulnerability in the web interface (web UI) of routers, switches, and wireless controllers running Cisco's IOS XE. This vulnerability was reported on October 16, 2023, and has been actively exploited. It has the highest security rating of 10.0 on the CVSS scale.

This vulnerability allows remote unauthenticated attackers to create an account with level 15 access on the affected system. Subsequently, attackers can use this account to take control of the impacted system. Currently, there are no software updates or temporary solutions available for this serious issue.

Cisco recommends that customers disable the HTTP Server feature on all systems connected to the internet. This can be done using the "no ip http server" or "no ip http secure-server" commands in global configuration mode. If both HTTP and HTTPS servers are used, both commands are required to disable the HTTP Server feature.

CVE-2023-20198 vulnerability has a CVSS (Common Vulnerability Scoring System) rating of 10.0, which is the highest security rating. A score of 10.0 on the CVSS scale indicates that this vulnerability is extremely serious and has the potential for significant impact.

AFFECTED SYSTEMS

The systems affected by CVE-2023-20198 include:

1. Cisco Routers: Various models of Cisco routers running Cisco IOS XE Software may be impacted by this vulnerability, especially if they enable the web interface (web UI) feature exposed to the internet or untrusted networks.

2. Cisco Switches: Cisco switches running Cisco IOS XE Software with configurations allowing the web interface may be affected by this vulnerability if they are connected to the internet or untrusted networks.

3. Cisco Wireless Controllers: Cisco wireless controllers using Cisco IOS XE Software and featuring an exposed web interface may also be vulnerable if not addressed.

The CVE-2023-20198 vulnerability affects devices running Cisco IOS XE Software. This includes various types of network devices utilizing this operating system, such as routers, switches, and wireless controllers. It's important to note that not all Cisco devices running IOS XE Software may be affected, but only those allowing web interface access to the internet or untrusted networks.

VULNERABILITY IMPACT

The impact of CVE-2023-20198 is extremely serious as it allows attackers to achieve full administrator access to the affected Cisco devices without authorization or authentication. The impacts include:

• Privilege Escalation: Attackers can elevate their access privileges to administrator level (level 15) on the affected devices. This means they have full control over the device.

• Remote Exploitation: The vulnerability can be exploited remotely, meaning attackers don't need physical access or local network access to the device. They can exploit this vulnerability over the internet or untrusted networks.

• Unauthorized Account Creation: Attackers can create accounts with high-level access (level 15) without needing to input authentication credentials. This grants them the ability to control the device and the network.

• Complete Control: Once attackers gain access, they have full control over the affected device. They can manipulate configurations, alter settings, and even block or disrupt services running on the device.

RECOMMENDATIONS

The recommendation provided by Cisco is as follows:

Disable HTTP Server Feature: Cisco strongly advises customers to disable the HTTP Server feature on all systems facing the internet. This can be achieved by using the command "no ip http server" or "no ip http secure-server" in global configuration mode.