SevOne

SevOne

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Cisco IOS XE Software Web UI Privilege Escalation Vulnerability!

By Brendan Schimmel posted Wed October 18, 2023 10:15 AM

  

Heads up networking friends!

On October 16th, Cisco announced a Zero-Day vulnerability whereby if the Web UI feature is enabled and the device is exposed to the internet or untrusted networks it can result in an unauthenticated attacker being able to create an account on the affected device and then use the privileges afforded by that account to take control of the device.

More from NIST here on 🪲 CVE-2023-20198.

Quickly identify Cisco IOS-XE Devices in your network in SevOne NPM:

Our SevOne NPM users can help quickly generate a list of Cisco IOS-XE devices known to the network by navigating to Devices tab in Data Insight and filter by Device Group > Operating Systems > Cisco IOS-XE or type in the table search bar "IOS-XE" to return a list of devices running Cisco IOS-XE software. From here you can drill down into specific devices or export the list CSV to share with other teams. 

Analyze traffic further with Flow Analysis

If these network devices have flow enabled, a quick next step to search for any oddities is to analyze flow records specifically for HTTP ports 443 and 80. In the below report, I am showing filtered results for HTTP with country of origin, port and BGP ASN to see if any "unusual" traffic is noticed. Further analysis can be done on the group of Cisco IOS-XE devices to view CPU, Memory or alerts anomalies as needed. 

Good luck and safe packet pushing! 

- Brendan

2 comments
34 views

Permalink

https://community.ibm.com/community/user/blogs/brendan-schimmel/2023/10/18/cisco-ios-xe-software-sevone-npm

Comments

Rupert Gregory
Tue October 24, 2023 04:53 AM

Update  - Cisco have now released the first tranche of patches so get patching! Not only this, but the exploit payload appears to have been modified to evade some simple checks so please double check your estate using the latest information.

Our colleagues in IBM Security are also tracking this and can provide further advice as needed - https://exchange.xforce.ibmcloud.com/collection/Critical-Flaw-in-Cisco-IOS-XE-Software-Exploited-in-the-Wild-a304baf254e6daac202aa22d1700ce64

More Commentary - https://www.theregister.com/2023/10/23/cisco_iosxe_fix/

Cisco Patches - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Stay safe folks.

Brendan Schimmel
Wed October 18, 2023 10:28 AM

For any users that are on pre SevOne NPM 6.6 versions of Data Insight, they can use a Metadata widget in a report to perform the same filtering and creation of a list.