Headline
New Cisco Web UI Vulnerability Exploited by Attackers
By Waqas Another day, another critical vulnerability hits Cisco! This is a post from HackRead.com Read the original post: New Cisco Web UI Vulnerability Exploited by Attackers
Cisco is aware of the active exploitation of this vulnerability, but there are no workarounds available.
Cisco has warned customers of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software that is being actively exploited by attackers. The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, which could further allow them to gain full control of the device.
The vulnerability (CVE-2023-20198) affects Cisco IOS XE Software if the web UI feature is enabled, which is done by default. Cisco recommends that customers disable the HTTP Server feature on all internet-facing systems to mitigate the risk of exploitation.
In its security advisory, Cisco said that the company is aware of the active exploitation of this vulnerability, and there are no workarounds available. Cisco is working on a software patch to address the vulnerability, but a release date has not yet been announced.
John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based security and operations analytics SaaS company commented on the advisory and warned that “The fact there isn’t a patch yet makes this issue all the more urgent and admins should take this opportunity to ensure their Cisco IOS devices either disable the Web UI or only have it accessible from private administrative LANs that are restricted to authorized users.”
Mayuresh Dani, Manager, Threat Research at Qualys, a Foster City, Calif.-based provider of disruptive cloud-based IT, security and compliance solutions stressed that Cisco has not provided the list of devices affected, which means that any switch, router or WLC running IOS XE and has the web UI exposed to the internet is vulnerable.”
Dani disclosed concerning statistics regarding Cisco devices with their web UI exposed to the internet. These findings indicate that more than 40,000 Cisco devices fall into this category, with the majority of them actively listening on port 80.
“Devices that have web UI and management services publicly exposed to the internet or to untrusted networks should be modified so that they are not exposed to untrusted networks by means of ACLs or other solutions. 2. Disable the web UI component on these devices,” Dani advised.
****Indicators of Compromise****
To determine whether a system may have been compromised, customers can check the system logs for the presence of the following log messages:
- %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line
- %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success at 03:42:13 UTC Wed Oct 11 2023
Customers can also use the following command to check for the presence of the implant:
curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"
If the request returns a hexadecimal string, the implant is present.
****Recommendations****
Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode.
Customers who cannot disable the HTTP Server feature should restrict access to those services to trusted networks.
Cisco is also working on a software patch to address the vulnerability, and customers are advised to apply the patch as soon as it is available.
****RELATED ARTICLES****
- Cisco’s new tool will detect malware in encrypted traffic
- New 19 CISA Advisories Highlight Vulnerabilities in Top ICS Products
- New Akira Ransomware Targets Businesses via Exploited CISCO VPNs
- Ex-employee hacked Cisco’s AWS Infrastructure; erased virtual machines
- Unpatched Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks
Related news
Among the top exploited zero-day vulnerabilities were bugs found in systems from Citrix and Cisco.
This Metasploit module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f...
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices
A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.
Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices. Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 as part of an exploit chain. "The attacker first
A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.
By Deeba Ahmed It is unclear how long Cisco will take to release a patch. This is a post from HackRead.com Read the original post: Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices
Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
Categories: Exploits and vulnerabilities Categories: News Tags: Cisco Tags: IOS X Tags: remote management Tags: vulnerability Tags: CVE-2023-20198 Tags: webUI Tags: http server Tags: http secure-server Researchers have found that a recently disclosed vulnerability in Cisco IOS XE has already rendered thousands of compromised devices. (Read more...) The post Cisco IOS XE vulnerability widely exploited in the wild appeared first on Malwarebytes Labs.
Just a day after Cisco disclosed CVE-2023-20198, it remains unpatched, and one vendor says a Shodan scan shows at least 10,000 Cisco devices with an implant for arbitrary code execution on them. The vendor meanwhile has updated the advisory with more mitigation steps.
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have
No patch or workaround is currently available for the maximum severity flaw, which allows attackers to gain complete administrator privilege on affected devices remotely and without authentication.
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory Cisco will provide updates on the status of this investigation and when a software patch is available.
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.