Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343. For steps to close the attack vector for these vulnerabilities, see the Recommendations section of this advisory. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
Please refer to the Security Advisory.
Please refer to the Security Advisory.
Option 1 - Disable the HTTP Server feature To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature. After disabling the HTTP Server feature, it is strongly advised to review the running configuration to make sure nothing else changed or compromised. After the configs review, please use the copy running-configuration startup-configuration command to save the running-configuration. This will ensure that the HTTP Server feature is not unexpectedly enabled in the event of a device reload. Option 2 - Access lists The customer can a create access-list and apply it to the HTTP server in order to permit trusted devices to access the server. Sample IPv4 ACL for IOS-XE Switches, Routers and WLC: ip access-list standard permit ip http access-class ipv4 ACL_NAME Sample IPv6 ACL for IOS-XE Switches, Routers and WLC ipv6 access-list permit / any ip http access-class ipv6 Please refer to the Security Advisory.
The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 10: https://sec.cloudapps.cisco.com/security/center/cvssCalculator.x?vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2023-20198 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html