Cisco has released an advisory, acknowledging active exploitation of a previously unknown vulnerability, which is tracked as CVE-2023-20198, in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, which is the highest level of access. It provides full access to all commands including the ability to make configuration changes. The attacker can then use that account to gain control of the affected system. Cisco has stated that this zero-day vulnerability has been exploited by unknown threat actors in the wild since at least September 18th, 2023.
Vulnerable Products
Any switch, router, or wireless LAN controller running IOS XE that has the HTTP or HTTPS Server feature enabled and exposed to the internet is vulnerable.
To determine whether the HTTP Server feature is enabled for a system, log in to the system and use the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present, the HTTP Server feature is enabled for the system.
Recommendations
Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
While there are minimal Indicators of Compromise (IOCs) currently associated with this vulnerability, Centripetal is currently tracking IOCs and deploying them directly to the RuleGATE for immediate shielding as they become available.
If you are a current user of Cisco IOS XE, please contact support@centripetal.ai.
Centripetal is pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centrpetal.ai or reach out to your Centripetal Account Representative.
