CVE-2023-20198:主动利用思科IOS XE零日漏洞

Last updated at Mon, 23 Oct 2023 16:39:32 GMT

On Monday, October 16, 思科的 Talos group published a blog 利用CVE-2023-20198的活跃威胁活动, 思科IOS XE软件的web UI组件中存在一个“以前未知的”零日漏洞. IOS XE is an operating system that runs on a wide range of Cisco networking devices，包括路由器、交换机、无线控制器、接入点等. 成功利用CVE-2023-20198允许远程, unauthenticated attacker to create an 账户 on an affected device 和 use that 账户 to obtain full 管理istrator privileges, 有效地实现对系统的完全接管.

在披露时(2023年10月17日)没有CVE-2023-20198的补丁。. 思科 released fixed versions for a range of solutions as of October 22. As Cisco Talos noted in their blog, the vulnerability has been exploited in the wild, 和 t在这里 appeared to be a significant number of devices running IOS XE on the public internet as of October 17. 对运行IOS XE的互联网暴露设备的估计各不相同, 但攻击面面积似乎相对较大; 一个估计 puts the exposed device population at 140K+.

10月20日, Cisco updated their advisory on CVE-2023-20198 to reflect that the attack chain their team observed actually included two zero-day vulnerabilities, not just the one:

"的 attacker first exploited CVE-2023-20198 to gain initial access 和 issued a privilege 15 comm和 to create a local user 和 password combination. 这允许用户以正常的用户访问权限登录.

攻击者随后利用了web UI特性的另一个组件, leveraging the new local user to elevate privilege to root 和 write the implant to the file system. 思科 assigned CVE-2023-20273 to this issue.

CVE-2023-20198的CVSS评分为10分.0.
CVE-2023-20273的CVSS评分为7分.2.

CSCwh87343正在跟踪这两个cve."

Additional activity has included deployment of an implant that allows the attacker to execute arbitrary comm和s at the system level or IOS level. 思科对他们观察到的恶意行为有详尽的描述 在这里.

Affected products

思科的 CVE-2023-20198和CVE-2023-20273的公共咨询 says that Cisco IOS XE software is vulnerable if the web UI feature is enabled (the UI is enabled through the IP HTTP服务器 or ip http secure-server 命令). 思科并没有提供一定运行IOS XE的产品列表，但他们的 product page for IOS XE 列出了一些，包括Catalyst、ASR和NCS系列.

According to the advisory, 客户可以确定系统是否启用了HTTP Server特性, by logging into the system 和 using the Show running-相依ig | include IP HTTP server|secure|active 命令，检查是否存在 IP HTTP服务器 命令或 ip http secure-server comm和 in the global 相依iguration. 的 presence of 要么 命令或 这两个 comm和s in the system 相依iguration indicates that the web UI feature is enabled (和 that the system is t在这里fore vulnerable).

思科的 advisory also specifies that if the IP HTTP服务器 命令，并且配置中还包含 ip http active-session-modules none, the vulnerability is not exploitable over HTTP. 如果 ip http secure-server 命令，并且配置中还包含 ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.

Mitigation guidance

As of October 22, 思科 released fixed versions of IOS XE 修复CVE-2023-20198在其解决方案组合中的一系列平台(例如.g., SDWAN, various routers 和 switches). Organizations should disable the web UI (HTTP Server) component on internet-facing systems on an emergency basis before 应用ing patches. Organizations should also reboot their devices.

To disable the HTTP Server feature, use the no IP HTTP服务器 or no ip http secure-server comm和 in global 相依iguration mode. 每 思科的 advisory，如果HTTP服务器和HTTPS服务器都在使用， 这两个 comm和s are required to disable the HTTP Server feature. Organizations should also avoid exposing the web UI 和 management services to the internet or to untrusted networks.

Disabling the web UI component of IOS XE systems 和 limiting internet exposure reduces risk from known attack vectors, 但值得注意的是 不 mitigate risk from implants that may have already been successfully deployed on vulnerable systems. Rapid7 recommends invoking incident response procedures w在这里 possible to prioritize hunting for indicators of compromise 思科 shared, 下面列出的.

Cisco-observed attacker behavior

的 Cisco Talos blog on CVE-2023-21098 has a full analysis of the implant 他们被部署在威胁行动中. 我们强烈建议完整地阅读这份分析报告. 的 implant is saved under the file path /usr/binos/相依/nginx-相依/cisco_service.相依 它包含两个由十六进制字符组成的可变字符串. 虽然植入物不是持久的(设备重启会将其移除), the attacker-created local user 账户s are.

思科观察到该威胁行为者利用了CVE-2021-1435, which was patched in 2021, 在获得易受CVE-2023-20198攻击的设备的访问权限后安装植入物. Talos also notes that they have seen devices fully patched against CVE-2021-1435 getting the implant successfully installed “through an as of yet undetermined mechanism.”

Rapid7-observed attacker behavior

Rapid7 耐多药 has so far identified a small number of instances w在这里 CVE-2023-20198 was exploited in customer environments, including multiple instances of exploitation within the same customer environment on the same day. 的 indicators of compromise our team has identified with available evidence indicate the use of techniques similar to those described by Cisco Talos.

Rapid7在我们的调查过程中发现了技术的变化. 攻击后在系统上执行的第一个恶意活动与 管理 账户. 的 following is an excerpt from this log file:
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as 管理 on vty1
的 threat actor created the local 账户 cisco_support using the comm和 用户名cisco_support privilege 15 algorithm-type sha256 secret * under user context 管理. 然后，威胁参与者使用新创建的密码对系统进行身份验证 cisco_support 帐户并开始运行几个命令，包括以下命令:

show running-相依ig
show voice register global
show dial-peer voice summary
展示的平台
show flow monitor
展示的平台
展示的平台 software iox-service
show iox-service
dir bootflash:
dir闪:
清晰的记录
no username cisco_support
no username cisco_tac_管理
no username cisco_sys_manager

在完成这些命令后，威胁参与者删除了该帐户 cisco_support. 的账户 cisco_tac_管理 和 cisco_sys_manager were also deleted, but Rapid7 did not observe 账户 creation comm和s associated with these 账户s within available logs.

的 threat actor also executed the 清晰的记录 命令清除系统记录并掩盖他们的踪迹. Rapid7在10月12日发现了第二次开采的测井记录, 2023, 但无法查看第一次入侵的日志，因为日志已被清除.

证据表明，威胁参与者执行的最后一个操作与一个名为 aaa:
% web -6- install_operation_info:用户:cisco_support，安装操作:ADD aaa

对比10月12日在同一环境中发生的两次入侵, 在观察到的技术上有细微的差异. 例如, 日志清理只在第一次利用中执行, 而第二次利用包括额外的目录查看命令.

Indicators of compromise

的 Cisco Talos blog on CVE-2023-20198 directs organizations to look for unexplained or newly created users on devices running IOS XE. One way of identifying whether the implant observed by Talos is present is to run the following comm和 against the device, 其中“DEVICEIP”部分是要检查的设备的IP地址的占位符:

curl -k -X POST "http[:]//DEVICEIP/web /logout相依irm . curl.html?logon_hash = 1”

的 comm和 above will execute a request to the device’s Web UI to see if the implant is present. 如果 request returns a hexadecimal string, the implant is present (note that the web server must have been restarted by the attacker after the implant was deployed for the implant to have become active). 每 思科的 blog, the above check should use the HTTP scheme if the device is only 相依igured for an insecure web interface.

Additional Cisco IOCs

• 5.149.249[.]74
• 154.53.56[.]231

用户名:

• cisco_tac_管理
• cisco_support

Cisco Talos also advises performing the following checks to determine whether a device may have been compromised:

Check the system logs for the presence of any of the following log messages w在这里 “user” could be cisco_tac_管理, cisco_support 或网络管理员不知道的任何已配置的本地用户:

• %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line

• %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login 成功 [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023

注意: %SYS-5-CONFIG_P 消息将出现在用户访问web UI的每个实例中. 要查找的指示器是消息中出现的新用户名或未知用户名.

Organizations should also check the system logs for the following message w在这里 filename is an unknown filename that 不 correlate with an expected file installation action:

• % web -6- install_operation_info: User: username, Install Operation: ADD filename

Rapid7 customers

As of October 17, InsightVM 和 Nexpose customers can assess their exposure to CVE-2023-20198 with an authenticated vulnerability check that looks for Cisco IOS XE devices with the web UI enabled. We expect to release an update to this check on October 24 to reflect fixed version availability.

InsightIDR 和 Rapid7 耐多药 customers have existing detection coverage through Rapid7's expansive library of detection rules. 的 following detection rules are deployed 和 alerting on activity related to this vulnerability via the IP addresses provided by Cisco:

• Network Flow - CURRENT_EVENTS Related IP Observed
• 可疑的连接-当前事件相关的IP观察

更新

October 17, 2023: 更新了rapid7观察到的攻击者行为和ioc.

October 23, 2023: 更新以反映第二个零日漏洞CVE-2023-20273的披露. Also updated to note that 思科 released a patch for CVE-2023-20198 across a number of affected platforms. Rapid7 expects to release an update to the vulnerability check for CVE-2023-20198 on October 24 to detect patched versions of IOS XE.