Introduction
Cisco IOS XE Software Web ui Privilege Escalation Vulnerability that could allow an unauthenticated, remote attacker to gain full admin privileges on an affected device. This vulnerability, tracked as CVE-2023-20198, exists in the web user interface (web UI) of Cisco IOS XE Software and could enable a malicious actor to take full control of the device. Cisco has released software updates to address this critical vulnerability and recommends customers install them immediately.
Recent Released:Apple Seeds macOS Sonoma 14.1 Release?
Technical Details
The Cisco IOS XE Software web UI privilege escalation vulnerability allows an unauthenticated attacker to create a user account with privilege level 15 access. Privilege level 15 grants full admin control of the device.
To exploit this vulnerability, an attacker would first gain access to the web UI on the Cisco device, which can be done by exploiting a separate vulnerability tracked as CVE-2023-20199. This provides the attacker initial access to the system.
Once they have web UI access, the attacker can then exploit CVE-2023-20198 by issuing a crafted privilege 15 command. This command elevates the privileges of the attacker’s account to level 15, giving them full control of the device.
Specifically, the attacker can send an HTTP request like this:
Copy codePOST /level/15/exec/-/conf/username/password HTTP/1.1
This will create the username/password account with privilege level 15. The attacker can then login to this account through the web UI and have full control.
The vulnerability arises because the web UI improperly performs authentication and authorization checks on privilege level commands sent by remote, unauthenticated users.
Affected Products
This vulnerability affects Cisco devices running affected versions of Cisco IOS XE Software that have the web UI feature enabled. The web UI feature may be enabled by default on some software versions.
According to Cisco’s advisory, the following products and versions are affected:
- Cisco IOS XE Software Releases 16.1.x and later
- Cisco IOS XE Software Releases 16.2.x and later
- Cisco IOS XE Software Releases 16.3.x and later
- Cisco IOS XE Software Releases 16.4.x and later
- Cisco IOS XE Software Releases 16.5.x and later
- Cisco IOS XE Software Releases 16.6.x and later
- Cisco IOS XE Software Releases 16.7.x and later
- Cisco IOS XE Software Releases 16.8.x and later
- Cisco IOS XE Software Releases 16.9.x and later
- Cisco IOS XE Software Release 17.x and later
Many Cisco networking devices run Cisco IOS XE Software, including but not limited to:
- Cisco Catalyst 9000 Series Switches
- Cisco Catalyst 1000 Series Switches
- Cisco 4000 Series Integrated Services Routers
- Cisco ASR 1000 Series Aggregation Services Routers
- Cisco Cloud Services Router 1000V Series
Organizations using affected Cisco devices should check with Cisco’s advisory for the exact release trains and versions that contain the vulnerability.
Impact
This vulnerability has a Common Vulnerability Scoring System (CVSS) severity score of 10 out of 10. This means it poses a critical risk to affected organizations.
If exploited, this vulnerability allows an unauthenticated attacker to create a user account on the Cisco device with full administrative privileges. They could use this account to take actions like:
- Access confidential data processed by the device
- Modify the device configuration
- Control access to network resources
- Install malicious software
- Pivot to attack other systems on the network
Ultimately, this vulnerability provides an attacker with a doorway into the network that can lead to a full compromise of critical systems and data. The ability for an anonymous attacker to gain admin access is extremely dangerous.
Workarounds
Cisco has not identified any workarounds for this vulnerability that fully mitigate the issue.
As a partial mitigation, administrators can disable the web UI feature if it is not needed. However, the best course of action is to install software updates provided by Cisco that address the vulnerability.
Fixes
Cisco has released software updates that address this vulnerability in Cisco IOS XE Software. Customers should install the latest updates as soon as possible.
Available updates depend on the specific Cisco platform and software release train. Administrators should consult Cisco’s advisory for the latest fix details.
In general, Cisco recommends upgrading to the latest available release for your Cisco platform and software release train. Contact Cisco technical support if you need assistance determining the correct updates.
Applying these software updates will eliminate the privileged account creation vulnerability in the Cisco IOS XE web UI. Cisco recommends customers install these fixes urgently.
Detection
Cisco has released SNORT rules that can detect attempts to exploit this vulnerability. Customers can deploy these SNORT rules to help identify exploitation attempts against devices.
The rules are documented in Cisco’s advisory. They detect the HTTP requests an attacker would send to create the privileged user account. Alerting on these detection rules can help identify compromises.
Cisco has also updated the Firepower intrusion rule set and provided updated malware detection signatures. Customers using Cisco security products should deploy these latest updates.
Reviewing device logs may also help identify exploitation attempts. Administrators should look for unexpected HTTP requests attempting to run “level 15” commands.
Actively Exploited
This vulnerability is known to be exploited in the wild. Cisco’s advisory states they are aware of active exploitation against devices.
Due to the nature of this flaw allowing anonymous access to admin privileges, Cisco is recommending customers upgrade as soon as possible, even foregoing normal maintenance windows.
Active exploitation means malicious actors are leveraging this vulnerability to compromise networks right now. So prompt action is required by customers using affected Cisco platforms.
Conclusion
The Cisco IOS XE Software web UI privilege escalation vulnerability poses a critical threat to network security. All organizations using affected Cisco devices should take immediate steps to mitigate this vulnerability. Installing the latest software updates is the most effective fix. Additional steps like deploying updated SNORT rules, disabling the web UI, and monitoring logs can also help reduce exposure. But because this flaw is being actively exploited, applying patches should be treated as an urgent priority.
Table Summary
| Vulnerability ID | CVE-2023-20198 |
| CVSS Score | 10 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Summary | Cisco IOS XE Software Web UI Privilege Escalation Vulnerability |
| Affected Products | Cisco IOS XE Software Releases 16.1.x and later |
| Impact | Unauthenticated admin access |
| Fix | Install latest IOS XE software release |