CVE-2023-20198:主动利用思科IOS XE零日漏洞

最后更新于2023年10月23日星期一16:39:32 GMT

10月16日星期一，思科的Talos集团 published a blog 利用CVE-2023-20198的活跃威胁活动, 思科IOS XE软件的web UI组件中存在一个“以前未知的”零日漏洞. IOS XE是一个运行在 广泛的思科网络设备，包括路由器、交换机、无线控制器、接入点等. 成功利用CVE-2023-20198允许远程, unauthenticated attacker to create an account on an affected device and use that account to obtain full administrator privileges, 有效地实现对系统的完全接管.

在披露时(2023年10月17日)没有CVE-2023-20198的补丁。. Cisco has 已发布的固定版本 从10月22日起，我们将提供一系列解决方案. 正如Cisco Talos在他们的博客中指出的那样, 这个漏洞已经在野外被利用了, and there appeared to be a significant number of devices running IOS XE on the public internet as of October 17. 对运行IOS XE的互联网暴露设备的估计各不相同, 但攻击面面积似乎相对较大; one estimate 暴露的设备数量超过140K.

On October 20, Cisco updated their advisory on CVE-2023-20198 to reflect that the attack chain their team observed actually included two zero-day vulnerabilities, 不只是一个:

"The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. 这允许用户以正常的用户访问权限登录.

攻击者随后利用了web UI特性的另一个组件, leveraging the new local user to elevate privilege to root and write the implant to the file system. 思科已针对此问题分配了CVE-2023-20273.

CVE-2023-20198的CVSS评分为10分.0.
CVE-2023-20273的CVSS评分为7分.2.

CSCwh87343正在跟踪这两个cve."

Additional activity has included deployment of an implant that allows the attacker to execute arbitrary commands at the system level or IOS level. 思科对他们观察到的恶意行为有详尽的描述 here.

受影响的产品

Cisco’s CVE-2023-20198和CVE-2023-20273的公共咨询 says that Cisco IOS XE software is vulnerable if the web UI feature is enabled (the UI is enabled through the ip http server or IP HTTP安全服务器 commands). 思科并没有提供一定运行IOS XE的产品列表，但他们的 IOS XE的产品页面 列出了一些，包括Catalyst、ASR和NCS系列.

根据建议, 客户可以确定系统是否启用了HTTP Server特性, 通过登录系统并使用 Show running-config | include IP HTTP server|secure|active 命令，检查是否存在 ip http server command or the IP HTTP安全服务器 命令. The presence of either command or both commands in the system configuration indicates that the web UI feature is enabled (and that the system is therefore vulnerable).

思科的报告还指出，如果 ip http server 命令，并且配置中还包含 IP HTTP active-session-modules无，漏洞是 不能通过HTTP利用. If the IP HTTP安全服务器 命令，并且配置中还包含 IP HTTP secure-active-session-modules无，漏洞是 不能通过HTTPS利用.

缓解指导

截至10月22日，思科已经做到了 发布了IOS XE的固定版本 修复CVE-2023-20198在其解决方案组合中的一系列平台(例如.g.、SDWAN、各种路由器和交换机). Organizations should disable the web UI (HTTP Server) component on internet-facing systems on an emergency basis before applying patches. 组织也应该重新启动他们的设备.

要禁用HTTP Server特性，请使用 无IP HTTP服务器 or 无IP HTTP安全服务器 命令. Per 思科的咨询，如果HTTP服务器和HTTPS服务器都在使用， 这两个命令都是必需的 关闭HTTP Server特性. Organizations should also avoid exposing the web UI and management services to the internet or to untrusted networks.

Disabling the web UI component of IOS XE systems and limiting internet exposure reduces risk from known attack vectors, but notably does not mitigate risk from implants that may have already been successfully deployed on vulnerable systems. Rapid7 recommends invoking incident response procedures where possible to prioritize hunting for indicators of compromise Cisco has shared, listed below.

思科观察到攻击者的行为

Cisco Talos博客上的CVE-2023-21098有一个 植入物的全面分析 他们被部署在威胁行动中. 我们强烈建议完整地阅读这份分析报告. 植入被保存在文件路径下 /usr/binos/conf/nginx-conf/cisco_service.conf 它包含两个由十六进制字符组成的可变字符串. 虽然植入物不是持久的(设备重启会将其移除), 攻击者创建的本地用户帐号为.

思科观察到该威胁行为者利用了CVE-2021-1435, 哪些是在2021年修补的, 在获得易受CVE-2023-20198攻击的设备的访问权限后安装植入物. Talos also notes that they have seen devices fully patched against CVE-2021-1435 getting the implant successfully installed “through an as of yet undetermined mechanism.”

rapid7观察到攻击者的行为

Rapid7 MDR has so far identified a small number of instances where CVE-2023-20198 was exploited in customer environments, including multiple instances of exploitation within the same customer environment on the same day. The indicators of compromise our team has identified with available evidence indicate the use of techniques similar to those described by Cisco Talos.

Rapid7在我们的调查过程中发现了技术的变化. The first malicious activity performed on the system post-exploitation was associated with the admin account. 以下是该日志文件的摘录:
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as admin on vty1
威胁行为者创建了本地帐户 cisco_support 使用命令 用户名cisco_support privilege 15 algorithm-type sha256 secret * 在用户上下文中 admin. 然后，威胁参与者使用新创建的密码对系统进行身份验证 cisco_support 帐户并开始运行几个命令，包括以下命令:

显示running-config
显示语音寄存器全局
显示拨号语音摘要
show platform
显示流量监视器
show platform
显示平台软件iox-service
显示iox-service
dir bootflash:
dir flash:
clear logging
没有用户名cisco_support
无用户名cisco_tac_admin
无用户名cisco_sys_manager

在完成这些命令后，威胁参与者删除了该帐户 cisco_support. The accounts cisco_tac_admin and cisco_sys_manager 也被删除了, but Rapid7 did not observe account creation commands associated with these accounts within available logs.

威胁行为者还执行了 clear logging 命令清除系统记录并掩盖他们的踪迹. Rapid7在10月12日发现了第二次开采的测井记录, 2023, 但无法查看第一次入侵的日志，因为日志已被清除.

证据表明，威胁参与者执行的最后一个操作与一个名为 aaa:
% web -6- install_operation_info:用户:cisco_support，安装操作:ADD aaa

对比10月12日在同一环境中发生的两次入侵, 在观察到的技术上有细微的差异. For example, 日志清理只在第一次利用中执行, 而第二次利用包括额外的目录查看命令.

妥协指标

The Cisco Talos博客 on CVE-2023-20198 directs organizations to look for unexplained or newly created users on devices running IOS XE. One way of identifying whether the implant observed by Talos is present is to run the following command against the device, 其中“DEVICEIP”部分是要检查的设备的IP地址的占位符:

curl -k -X POST "http[:]//DEVICEIP/web /logoutconfirm . curl.html?logon_hash=1"

The command above will execute a request to the device’s Web UI to see if the implant is present. 如果请求返回一个十六进制字符串, the implant is present (note that the web server must have been restarted by the attacker after the implant was deployed for the implant to have become active). 根据思科的博客, the above check should use the HTTP scheme if the device is only configured for an insecure web interface.

其他Cisco ioc

• 5.149.249[.]74
• 154.53.56[.]231

Usernames:

• cisco_tac_admin
• cisco_support

Cisco Talos also advises performing the following checks to determine whether a device may have been compromised:

Check the system logs for the presence of any of the following log messages where “user” could be cisco_tac_admin, cisco_support 或网络管理员不知道的任何已配置的本地用户:

• %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line

• %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023

Note: The %SYS-5-CONFIG_P 消息将出现在用户访问web UI的每个实例中. 要查找的指示器是消息中出现的新用户名或未知用户名.

Organizations should also check the system logs for the following message where filename is an unknown filename that does not correlate with an expected file installation action:

• % web -6- install_operation_info: User: username, Install Operation: ADD filename

Rapid7客户

As of October 17, InsightVM and Nexpose customers can assess their exposure to CVE-2023-20198 with an authenticated vulnerability check that looks for Cisco IOS XE devices with the web UI enabled. We expect to release an update to this check on October 24 to reflect fixed version availability.

InsightIDR and Rapid7 MDR customers have existing detection coverage through Rapid7's expansive library of detection rules. The following detection rules are deployed and alerting on activity related to this vulnerability via the IP addresses provided by Cisco:

• 网络流-当前事件相关的IP观察
• 可疑的连接-当前事件相关的IP观察

Updates

2023年10月17日: 更新了rapid7观察到的攻击者行为和ioc.

2023年10月23日: 更新以反映第二个零日漏洞CVE-2023-20273的披露. Also updated to note that Cisco has released a patch for CVE-2023-20198 across a number of affected platforms. Rapid7 expects to release an update to the vulnerability check for CVE-2023-20198 on October 24 to detect patched versions of IOS XE.