Cisco has been suffering with the active exploitation of vulnerabilities in Cisco IOS XE

during the last weeks Cisco has been involved in a serious security problem in the implementation of the web interface used on physical and virtual Cisco devices equipped with the Cisco IOS XE operating system.

And since the middle of the month of October, The news was released that a critical vulnerability was identified (already cataloged under (CVE-2023-20198), which allows, without authentication, full access to the system with the maximum level of privileges, if you have access to the network port through which the web interface operates.

It is mentioned that the danger of the problem is aggravated due to the fact that the Attackers have been using the unpatched vulnerability for more than a month to create additional “cisco_tac_admin” and “cisco_support” accounts with administrator rights, and to automatically place an implant on devices that provides remote access to execute commands on the device.

The problem with the vulnerability is that it generates a second vulnerability (CVE-2023-20273) which was used in an attack to install an implant on devices running Cisco IOS XE. and which Cisco reported that the attackers took advantage after exploiting the first vulnerability CVE-2023-20198 and allowed the use of a new account with root rights, created during its exploitation, to execute arbitrary commands on the device.

It is mentioned that the exploitation of the vulnerability CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which you can then use to create a local user and log in with normal user access. Additionally, this made it possible to bypass verification by replacing characters in the request with the representation "%xx." For example, to access the WMSA (Web Service Management Agent) service, you can send a “POST /%2577ebui_wsma_HTTP” request, which calls the “webui_wsma_http” handler without verifying access.

Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant we call "BadCandy" that consists of a configuration file ("cisco_service.conf"). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allow the actor to execute arbitrary commands at the system level or at the IOS level. For the implant to activate, the web server must be restarted; In at least one observed case, the server was not restarted, so the implant was never activated despite being installed.

The BadCandy implant is saved in the file path “/usr/binos/conf/nginx-conf/cisco_service.conf” which contains two variable strings made up of hexadecimal characters. The implant is non-persistent, meaning that a device reboot will remove it, but newly created local user accounts remain active even after a system reboot. New user accounts have level 15 privileges, meaning they have full administrator access to the device. This privileged access to devices and the subsequent creation of new users is registered as CVE-2023-20198.

About the case Cisco has been releasing updated information both on the research it has carried out as well as on the technical analyzes of the vulnerabilities presented and also on an exploit prototype, which was prepared by an independent researcher based on an analysis of attacker traffic.

Although, to ensure the appropriate level of security, it is recommended to open access to the web interface only to selected hosts or the local network, many administrators leave the option to connect from the global network. In particular, according to the Shodan service, there are currently more than 140 thousand potentially vulnerable devices registered on the global network. The CERT organization has already registered around 35 thousand Cisco devices successfully attacked.

Finally if you are interested in knowing more about it about the note, you can consult the original publication in the following link