CVE-2023-20231: Cisco Security Advisory: Cisco IOS XE Software Web UI Command Injection Vulnerability

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS XE Software, have a Lobby Ambassador account enabled, and have the HTTP server feature enabled:

• Catalyst 9300 Series Switches
• Catalyst 9400 Series Switches
• Catalyst 9500 Series Switches
• Catalyst 9800-CL Wireless Controllers for Cloud
• Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
• Embedded Wireless Controller on Catalyst 9100X Series Access Points

For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.

Determine the Device Configuration

To determine whether Lobby Ambassador accounts and the HTTP server feature are configured on a device, use the following instructions.

Determine the Lobby Ambassador Account Configuration

To determine how many Lobby Ambassador accounts are configured on a device, log in to the device and run the show running-config | count type lobby-admin CLI command. The following example shows the CLI output on a device with one Lobby Ambassador account configured:

Router#show running-config | count type lobby-admin
Number of lines which match regexp = 1

The number at the end of the line indicates how many Lobby Ambassador accounts are configured on the device.

Note: The Lobby Ambassador role can be associated with a user account using RADIUS or TACACS+. Customers who are using an authentication, authorization, and accounting (AAA) server such as Cisco Identity Services Engine (ISE) to manage user accounts accessing their device should check for the presence of users that have the cisco-av-pair=lobby-admin attribute set. For an example of how to configure a Lobby Ambassador account on Cisco ISE, see Configure 9800 WLC Lobby Ambassador with RADIUS and TACACS+ Authentication.

Determine the HTTP Server Configuration

To determine whether the HTTP Server feature is enabled for a device, log in to the device and use the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present, the HTTP Server feature is enabled for the device.

The following example shows the output of the show running-config | include ip http server|secure|active command for a device that has the HTTP Server feature enabled:

Router# show running-config | include ip http server|secure|active
ip http server
ip http secure-server

Note: The presence of either command or both commands in the device configuration indicates that the web UI feature is enabled.

If the ip http server command is present and the configuration also contains ip http active-session-modules none, the vulnerability is not exploitable over HTTP.

If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.

Cisco IOS XE Software is affected by this vulnerability only if the device is configured with a Lobby Ambassador account. This is not a default configuration and must be added by an administrator.

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

• IOS Software
• IOS XR Software
• Meraki products
• NX-OS Software