The number of gadgets exposing the web UI on the web, a timeline and technical information about this destructive activity, and pointers for reducing this zero-day risk are featured.
Cisco Talos found a brand-new important zero-day vulnerability in the Web User Interface feature of Cisco IOS XE software application that’s currently being utilized in the wild. This security vulnerability provides full access to the jeopardized router, which might be used for more harmful activities. Cisco offered an extra advisory to help reduce this zero-day threat.
Dive to:
How many devices are exposing the web UI on the web?
Patrice Auffret, founder, ceo and primary technology officer at ONYPHE, a French Cyber Defense Search Engine dedicated to Attack Surface Discovery & Attack Surface area Management, informed TechRepublic in an e-mail interview previously today that the attack surface on the internet is very broad.
“We refreshed our data today and we see more than 74k gadgets exposing the web UI on the Internet. For the moment, all we can say is that the vulnerability has the greatest intensity with a CVSS at 10, which it is currently being made use of, according to ANSSI” (Figure A).
Figure A
More than 74,000 devices presently expose the web UI on the web, according to information from Onyphe. Image: Onyphe Timeline of when Cisco
discovered this destructive activity On Sept. 28, 2023, Cisco Talos scientists discovered suspicious activity on a consumer device: An unauthorized user was creating a local user account under the username “cisco_tac_admin” on Cisco IOS XE running system. TAC in this username may refer to Cisco’s Technical Support Center. The activity came from a suspicious IP address from Bulgaria, however no other activity could be discovered.
Must-read security protection
On Oct. 12, 2023, another regional user account was created from an unauthorized user, this time with username “cisco_support” and originating from a different suspicious IP address from the same company in Bulgaria. This account creation was followed by more deceptive activity, including the implementation of an implant developed to assist in arbitrary command execution.
Both accounts have level 15 advantages, indicating they have full administrator access to the gadget. The vulnerability used to access the system and develop those accounts is CVE-2023-20198; it received the highest Common Vulnerability Scoring System rating of 10.
As specified by Cisco Talos, the very first cluster was possibly the risk actor’s initial attempt to check their code, while the October activity appears to reveal the person expanding their operation to include developing relentless gain access to through implementation of the implant.
Technical details about this zero-day’s implant implementation
After creating the local user “cisco_support,” the opponent effectively released an implant by making use of a recognized vulnerability, CVE-2021-1435, for which a spot has actually existed since 2021. Yet Cisco Talos also observed effective implementation of the implant on systems totally patched for CVE-2021-1435 by means of a yet undetermined technique.
On the jeopardized device, the implant is conserved under the path
/ usr/binos/conf/ nginx-conf/cisco _ service.conf
which contains 2 variable strings made up of hexadecimal characters. The implant doesn’t survive reboot, as the attackers didn’t release any persistence mechanism, yet the deceptive regional user account remains on the system after reboot.
The implant consists of 29 lines of Lua code (Figure B).
Figure B
Malicious implant developed in Lua code. Image: Cisco Talos The implant facilitates arbitrary command execution and is activated by an HTTP POST request sent to the gadget, providing criteria to three functions:
- The first function, “menu” parameter, returns a string of numbers surrounded by forward-slashes, which Cisco Talos researchers suspect is used for versioning or for setup timestamp.
- The 2nd function, “logon_hash” parameter, returns an 18-character hexadecimal string that’s hardcoded inside the implant.
- The third function, also utilizing the “logon_hash” parameter, checks if the criterion sent by the enemy matches a 40-character hexadecimal string hardcoded into the implant and uses another specification, “common_type” to identify if the code ought to be run at system level or at IOS opportunity level 15.
How to mitigate this Cisco IOS XE software application security threat
Just Cisco IOS XE software application can be targeted by this vulnerability exploitation. For organizations utilizing that software, Cisco strongly recommends disabling the HTTP server feature on all internet-facing systems so the Web UI is no longer available. Administrators need to do so by disabling both no ip http server and no ip http secure-server commands in global setup mode.
Administrators might likewise apply access lists to the HTTP server feature so only permitted hosts and networks can access the system.
Cisco specifies administrators must utilize the following command to save the running-configuration to avoid losing the changes in case of a system reload.
copy running-configuration startup-configuration
The existence of the implant might likewise be checked by sending an HTTP POST demand that makes the implant response if it’s on the system:
curl -k -X POST “https://systemip/webui/logoutconfirm.html?logon_hash=1”
In that command, systemip requirements to be changed by the system’s IP address. If the system responds with an hexadecimal string, it suggests the implant is on the system.
Administrators should thoroughly review all regional users, specifically freshly developed ones that might have been added by an enemy. And, log files must be inspected thoroughly for every user accessing the web UI.
In addition, in the findings reported by Cisco Talos, an assailant could exploit a vulnerability patched since 2021 for additional compromise. All operating systems and software application should always be kept up to date and patched to avoid being jeopardized by a common vulnerability.
Disclosure: I work for Trend Micro, but the views expressed in this post are mine.
