CVE-2023-20198 Detection: Cisco IOS XE Zero-Day Vulnerability Actively Exploited to Install Implants

Hard on the heels of a new surge in the long-running Balada Injector campaign exploiting CVE-2023-3169, another critical security bug in popular software products comes to the spotlight. A new privilege escalation vulnerability affecting Cisco IOS XE software is actively exploited in the wild to help install implants on the impacted devices.

The uncovered zero-day known as CVE-2023-20198 enables remote and unauthenticated adversaries to generate a privilege-level account on a compromised system. While the patch is currently unavailable, CVE-2023-20198 poses severe security risks to potentially hacked instances. 

Detect CVE-2023-20198 Exploitation Attempts

In the rapidly evolving threat landscape of today, marked by a relentless surge in vulnerabilities leveraged existing in business-related applications and increasingly leveraged by attackers to breach the defense of the organizational infrastructure, a proactive and agile approach to threat detection is required. The SOC Prime Platform offers an array of robust cybersecurity tools tailored to enhance the cyber defense capabilities and efficiency of SOC teams.

Delve into the realm of real-time threat intelligence to stay ahead of emerging threats with the world’s fastest feed on the latest Tactics, Techniques, and Procedures (TTPs) used by adversaries. To bolster your defenses against potential CVE-2023-20198 exploitation attempts, SOC Prime offers a curated Sigma rule helping to identify related suspicious web request patterns, which may be related to the malicious internal implant or internal attacker trying to exploit the vulnerability inside the environment. The detection is mapped to the MITRE ATT&CK® framework and accompanied by extensive metadata to streamline the investigation.

Possible CVE-2023-20198 (Cisco IOS XE Software Web UI Privilege Escalation Vulnerability) Exploitation Patterns (via proxy)

The rule supports 18 SIEM, EDR, XDR, and Data Lake technologies, addressing the Lateral Movement tactic with the Exploitation of Remote Services (T1210) technique.

To boost threat investigation, SOC Prime users can also leverage a Sigma rule below that helps detect possible CVE-2023-20198 exploitation attempts by identifying suspicious accounts on the device (refer to the list of IOCs provided by the device vendor). Notably, a part of this rule should be correspondingly updated by the end-user to exclude all legitimate accounts that already exist and are used for administrative activity (placeholders are placeholder_for_legit_account1, placeholder_for_legit_account2, etc).

Possible CVE-2023-20198 (Cisco IOS XE Software Web UI Privilege Escalation Vulnerability) Exploitation Patterns (via keywords)

The rule is compatible with xx security analytics solutions and mapped to MITRE ATT&CK addressing the Initial Access and Lateral Movement tactics with Exploit Public-Facing Application (T1190) and Exploitation of Remote Services (T1210) techniques correspondingly.

To explore the entire detection stack for emerging and critical vulnerabilities, press the Explore Detections button below. All the rules are accompanied by extensive cyber threat context and CTI to boost threat investigation.

Explore Detections

CVE-2023-20198 Analysis

Cisco recently issued a security advisory confirming the active exploitation of a previously undisclosed zero-day vulnerability designated as CVE-2023-20198. The recommendations provided in the corresponding security notice align with the established best practices and adhere to the cybersecurity directive previously issued by the U.S. government for risk reduction of the internet-exposed management interfaces.

The newly uncovered security bug impacts the web UI feature of Cisco IOS XE Software, possessing the highest possible CVSS score of 10.0. Successful exploitation of the privilege escalation vulnerability enables unrestricted command access, leading to the system reloading and altering its configurations, which can allow attackers to abuse the account and further take control of the impacted system. Cisco’s Talos unit disclosed that they first identified the traces of attacks targeting CVE-2023-20198 on September 28, with the corresponding activity dating back to September 18. This discovery occurred as a result of an investigation into anomalous activity on a customer’s device.

On October 12, researchers detected a separate series of activities that began on the same day and that can be linked to the same hacking collective. Unlike the September incident, the latter also involved the deployment of a Lua-based implant. The implant is non-persistent, which implies that it will be removed once the device is rebooted. However, the recently established local user accounts remain operational even after the system is rebooted. These new user accounts possess level 15 privileges, granting them complete administrator access to the device.  

Adversary attempts leading to exploiting CVE-2023-20198 can be successful when the system is reachable from the internet or unsecured networks. The unveiled security bug impacts instances that run Cisco IOS XE software with the enabled HTTP or HTTPS Server functionality.

In view of the absence of any available fixes, mitigations, or workarounds for addressing this vulnerability, Cisco recommends deactivating the HTTP Server feature on systems exposed to the internet to prevent intrusions.

VulnCheck conducted scans on publicly accessible Cisco IOS XE web interfaces and discovered thousands of compromised hosts. Having elevated access to IOS XE systems potentially enables adversaries to monitor network traffic, infiltrate secured networks, and carry out various man-in-the-middle attacks.

With no current data on the list of impacted instances, thousands of Cisco devices with internet-facing web UI can be potentially exposed to the CVE-2023-20198 exploitation attempts. While the patch hasn’t been released yet, organizations are looking for efficient protection against CVE-2023-20198 to defend their infrastructure against intrusions. Rely on Threat Detection Marketplace to access the global feed of behavior-based detection algorithms and context on the latest threats, including zero-days to stay always ahead of the game.