CVE-2023-20198 Cisco Zero Day Signature

On October 12th, Cisco discovered active exploitation of a previously unknown vulnerability in their Cisco IOS XE software's web user interface (Web UI) feature. This vulnerability, CVE-2023-20198, poses a risk to physical and virtual devices running Cisco IOS XE software with the HTTP or HTTPS server feature enabled and connected to the internet or untrusted networks. If successfully exploited, an attacker can create a privileged level 15 account on the affected device, granting them complete control and potentially enabling unauthorized activities. 

PoC

Horizon3 provided a write up for this vulnerability, including the PoC below.

Source: Horizon3

To address this issue, Cisco strongly advises disabling the HTTP server feature on systems facing the internet, aligning with best practices and guidance from CISA for managing risks associated with internet-exposed management interfaces.  The Security team at Cisco support centers has actively worked with their security team to identify these specific exploitation cases. It's worth noting that these incidents were found in a few cases during their regular workload. Given the severity of this vulnerability, it is crucial for affected entities to promptly follow the steps outlined in Cisco's PSIRT (Product Security Incident Response Team) advisory. 

By taking the necessary measures, organizations can mitigate the potential risks associated with this vulnerability and safeguard their systems and networks.

At the same time, another vulnerability was announced: CVE-2021-1435: Cisco IOS XE Software Web UI Command Injection Vulnerability.

This vulnerability is related to the web-based user interface (web UI) of Cisco's IOS XE software, IOS XE is the operating system used on many Cisco networking devices, such as routers and switches.

The core issue is that the web UI of IOS XE needs to validate user inputs properly. Normally, when you interact with a web interface, the software should carefully check and sanitize anything you type to ensure it doesn't contain malicious commands.

However, in this case, an attacker with access to the web UI (either through legitimate credentials or some other means) could craft a special request that injects arbitrary commands into the system. These injected commands would then be executed with the highest "root" level of access on the device.

Palo Alto Networks released three signatures associated with the Cisco Vulnerability in App&Threat 8766 on 2023-10-17.

CVE-2023-20198  
UTID: 94453 - Cisco IOS XE Web UI Broken Access Control Vulnerability

CVE-2021-1435
UTID: 94454 - Cisco IOS XE Web UI Remote Code Execution Vulnerability

CVE-2023-20198
UTID: 86807 - Cisco IOS XE Associated Backdoor Traffic Detection

You may review the links in the references section if you'd like more information detailing how the vulnerability works.

References:

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
• https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
• https://nvd.nist.gov/vuln/detail/CVE-2023-20198
• https://www.cisa.gov/news-events/directives/binding-operational-directive-23-02
• https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html
• https://www.horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc