フィードを購読する

CVE-2023-20198
Reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Overview

Cisco recently published an advisory pertaining to an active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.

Recommendations using Red Hat Ansible Automation Platform

In this blog, I will discuss a simple playbook that can help network admins quickly identify and remediate affected devices. To add additional capabilities for a large production environment, Red Hat Ansible Automation Platform could enhance the playbook run with additional capabilities (ticketing integrations, roles based access, workflow, self service, etc.).

Vulnerable Products

All Cisco IOS-XE based products are potentially at risk. The example playbook is located here.
In the example playbook we will explore its functionality using one of the Cisco Sandbox always-on routers

Determine the HTTP Server Configuration

The following portion of the playbook will determine the HTTP Server Configuration and print the results.
 

Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. The following task will disable http/https server if detected.

 

Indicators of Compromise

To determine whether a system may have been compromised, check the system logs for the presence of any of the following log messages where the user could be cisco_tac_admin, cisco_support or any configured, local user that is unknown to the network administrator. The aforementioned would require additional steps to identify unknown users. 

For now our playbook will just look more generic in the syslogs. If needed, we can build some additional assertions for tasks to refine more afterwards.

Other Considerations

In the event  the web UI service must continue to run on the affected devices Cisco recommends, restricting access to those services to trusted networks by using an access list. In this case, do not use the playbook because the option to use a network ACL is not provided in the example playbook.

Testing in the Devnet Sandbox

Simply use the Cisco Always-On Sandbox to test the example:

1. Log into sandbox router and turn on http/https server

ssh developer@sandbox-iosxe-recomm-1.cisco.com
pass=lastorangerestoreball8876

2. Configure

conf t
ip http server
ip http secure-server

Warning: I returned to the devnet sandbox recently and noticed Cisco had removed privilege level 15. Not sure if this is only temporary due to the vulnerability. As such you may need to point to another lab router or another environment. I ran it again in a different router in my own lab environment.

3. Run the playbook 
The first time you run the playbook, disable the http/https server. There will be no syslog output if the sandbox router wasn’t exploited. These sandbox routers are launched daily with a clean image. I’m using the ansible-navigator below.

(venv) [tdubiel@fedora cisco_compliance_remediation]$ ansible-navigator run https.yml -m stdout -v
PLAY [Mitigate CVE-2023-20198 Critical Vulnerability] **************************
TASK [Check if Web service is running on router] *******************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["ip http server\nip http secure-server"], "stdout_lines": [["ip http server", "ip http secure-server"]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "user_output.stdout_lines[0]": [
        "ip http server",
        "ip http secure-server"
    ]
}
TASK [If needed, disable Web User Interface of Cisco IOS XE] *******************
changed: [sandbox-iosxe-recomm-1.cisco.com] => {"banners": {}, "changed": true, "commands": ["no ip http server", "no ip http secure-server"], "updates": ["no ip http server", "no ip http secure-server"], "warnings": ["To ensure idempotency and correct diff the input configuration lines should be similar to how they appear if present in the running configuration on device"]}
TASK [Determine if exploit exists in syslogs] **********************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["", ""], "stdout_lines": [[""], [""]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "Logging_output.stdout_lines": [
        [
            ""
        ],
        [
            ""
        ]
    ]
}
PLAY RECAP *********************************************************************
sandbox-iosxe-recomm-1.cisco.com : ok=5    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0 

4. Rerun the playbook
This time the third task is skipped. Take a look at the ‘when’ conditional.

PLAY [Mitigate CVE-2023-20198 Critical Vulnerability] **************************
TASK [Check if Web service is running on router] *******************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["no ip http server\nno ip http secure-server"], "stdout_lines": [["no ip http server", "no ip http secure-server"]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "user_output.stdout_lines[0]": [
        "no ip http server",
        "no ip http secure-server"
    ]
}
TASK [Determine if exploit exists in syslogs] **********************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["", ""], "stdout_lines": [[""], [""]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "Logging_output.stdout_lines": [
        [
            ""
        ],
        [
            ""
        ]
    ]
}
PLAY RECAP *********************************************************************
sandbox-iosxe-recomm-1.cisco.com : ok=4    changed=0    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

Ansible Controller

How would this look in AAP? I’m glad you asked… All you need is a project pointing to the repository with an inventory of router(s) in the AAP controller. Afterwards create a  job-template mapping to the http.yml playbook. I pointed my Ansible controller to a Red Hat lab router ‘rtr1’ and ran the same playbook to disable the http and https services. Please see the AAP Controller job output:


TASK [Print results] ***********************************************************16:42:26
8
ok: [rtr1] => {
9
"user_output.stdout_lines[0]": [
10
"ip http server",
11
"ip http secure-server",
12
" active"
13
]
14
}
15
16
TASK [If needed, disable Web User Interface of Cisco IOS XE] *******************16:42:27
20
changed: [rtr1]
21
22
TASK [Determine if exploit exists in syslogs] **********************************16:42:30
23
ok: [rtr1]
24
25
TASK [Print results] ***********************************************************16:42:31
26
ok: [rtr1] => {
27
"Logging_output.stdout_lines": [
28
[
29
""
30
],
31
[
32
""
33
],
34
[
35
""
36
],
37
[
38
""
39
],
40
[
41
""
42
]
43
]
44
}
45
46
PLAY RECAP *********************************************************************16:42:32
47
rtr1 : ok=5 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

What changed?

Summary

Unfortunately, exploits surface regularly. The good news is that you can mitigate the risk faster, with lower effort using Ansible Automation Platform to automate the checking and remediations for network configuration vulnerabilities. Ansible Automation Platform is simple, powerful and agentless!

Continuing the network automation adventure:

Want to try Ansible Automation Platform in your own environment? 

We offer an Ansible Automation Platform trial.

Interested in developing human-readable automation with Ansible? 

DO007 is a free self-paced online video course to expand your automation skills. We also provide short self-paced, interactive labs with Ansible Automation Platform 2.

Want to learn more about network automation use cases?

Check out additional information about network automation use cases; you are also invited to try Ansible Automation Platform for a free trial. 

Additional documentation to start can be found here: 


執筆者紹介

Tony Dubiel is a Product Solution Architect for Red Hat’s Ansible Automation Platform supporting North America Public Sector (NAPs). He is an Air Force veteran with over 25 years of telecommunications and network experience. Tony is passionate about aligning DevOps best practices with network operations. He is currently an active triple CCIE #10844 (DC, R&S, and Voice) and Cisco Devnet Professional certified.
Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

チャンネル別に見る

automation icon

自動化

テクノロジー、チームおよび環境に関する IT 自動化の最新情報

AI icon

AI (人工知能)

お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート

open hybrid cloud icon

オープン・ハイブリッドクラウド

ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。

security icon

セキュリティ

環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報

edge icon

エッジコンピューティング

エッジでの運用を単純化するプラットフォームのアップデート

Infrastructure icon

インフラストラクチャ

世界有数のエンタープライズ向け Linux プラットフォームの最新情報

application development icon

アプリケーション

アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細

Original series icon

オリジナル番組

エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー