CVE-2023-20198
Reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
Overview
Cisco recently published an advisory pertaining to an active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
Recommendations using Red Hat Ansible Automation Platform
In this blog, I will discuss a simple playbook that can help network admins quickly identify and remediate affected devices. To add additional capabilities for a large production environment, Red Hat Ansible Automation Platform could enhance the playbook run with additional capabilities (ticketing integrations, roles based access, workflow, self service, etc.).
Vulnerable Products
All Cisco IOS-XE based products are potentially at risk. The example playbook is located here.
In the example playbook we will explore its functionality using one of the Cisco Sandbox always-on routers
Determine the HTTP Server Configuration
The following portion of the playbook will determine the HTTP Server Configuration and print the results.
Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. The following task will disable http/https server if detected.
Indicators of Compromise
To determine whether a system may have been compromised, check the system logs for the presence of any of the following log messages where the user could be cisco_tac_admin, cisco_support or any configured, local user that is unknown to the network administrator. The aforementioned would require additional steps to identify unknown users.
For now our playbook will just look more generic in the syslogs. If needed, we can build some additional assertions for tasks to refine more afterwards.
Other Considerations
In the event the web UI service must continue to run on the affected devices Cisco recommends, restricting access to those services to trusted networks by using an access list. In this case, do not use the playbook because the option to use a network ACL is not provided in the example playbook.
Testing in the Devnet Sandbox
Simply use the Cisco Always-On Sandbox to test the example:
1. Log into sandbox router and turn on http/https server
ssh developer@sandbox-iosxe-recomm-1.cisco.com
pass=lastorangerestoreball8876
2. Configure
conf t
ip http server
ip http secure-server
Warning: I returned to the devnet sandbox recently and noticed Cisco had removed privilege level 15. Not sure if this is only temporary due to the vulnerability. As such you may need to point to another lab router or another environment. I ran it again in a different router in my own lab environment.
3. Run the playbook
The first time you run the playbook, disable the http/https server. There will be no syslog output if the sandbox router wasn’t exploited. These sandbox routers are launched daily with a clean image. I’m using the ansible-navigator below.
(venv) [tdubiel@fedora cisco_compliance_remediation]$ ansible-navigator run https.yml -m stdout -v
PLAY [Mitigate CVE-2023-20198 Critical Vulnerability] **************************
TASK [Check if Web service is running on router] *******************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["ip http server\nip http secure-server"], "stdout_lines": [["ip http server", "ip http secure-server"]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
"user_output.stdout_lines[0]": [
"ip http server",
"ip http secure-server"
]
}
TASK [If needed, disable Web User Interface of Cisco IOS XE] *******************
changed: [sandbox-iosxe-recomm-1.cisco.com] => {"banners": {}, "changed": true, "commands": ["no ip http server", "no ip http secure-server"], "updates": ["no ip http server", "no ip http secure-server"], "warnings": ["To ensure idempotency and correct diff the input configuration lines should be similar to how they appear if present in the running configuration on device"]}
TASK [Determine if exploit exists in syslogs] **********************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["", ""], "stdout_lines": [[""], [""]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
"Logging_output.stdout_lines": [
[
""
],
[
""
]
]
}
PLAY RECAP *********************************************************************
sandbox-iosxe-recomm-1.cisco.com : ok=5 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
4. Rerun the playbook
This time the third task is skipped. Take a look at the ‘when’ conditional.
PLAY [Mitigate CVE-2023-20198 Critical Vulnerability] **************************
TASK [Check if Web service is running on router] *******************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["no ip http server\nno ip http secure-server"], "stdout_lines": [["no ip http server", "no ip http secure-server"]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
"user_output.stdout_lines[0]": [
"no ip http server",
"no ip http secure-server"
]
}
TASK [Determine if exploit exists in syslogs] **********************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["", ""], "stdout_lines": [[""], [""]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
"Logging_output.stdout_lines": [
[
""
],
[
""
]
]
}
PLAY RECAP *********************************************************************
sandbox-iosxe-recomm-1.cisco.com : ok=4 changed=0 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
Ansible Controller
How would this look in AAP? I’m glad you asked… All you need is a project pointing to the repository with an inventory of router(s) in the AAP controller. Afterwards create a job-template mapping to the http.yml playbook. I pointed my Ansible controller to a Red Hat lab router ‘rtr1’ and ran the same playbook to disable the http and https services. Please see the AAP Controller job output:
TASK [Print results] ***********************************************************16:42:26
8
ok: [rtr1] => {
9
"user_output.stdout_lines[0]": [
10
"ip http server",
11
"ip http secure-server",
12
" active"
13
]
14
}
15
16
TASK [If needed, disable Web User Interface of Cisco IOS XE] *******************16:42:27
20
changed: [rtr1]
21
22
TASK [Determine if exploit exists in syslogs] **********************************16:42:30
23
ok: [rtr1]
24
25
TASK [Print results] ***********************************************************16:42:31
26
ok: [rtr1] => {
27
"Logging_output.stdout_lines": [
28
[
29
""
30
],
31
[
32
""
33
],
34
[
35
""
36
],
37
[
38
""
39
],
40
[
41
""
42
]
43
]
44
}
45
46
PLAY RECAP *********************************************************************16:42:32
47
rtr1 : ok=5 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
What changed?
Summary
Unfortunately, exploits surface regularly. The good news is that you can mitigate the risk faster, with lower effort using Ansible Automation Platform to automate the checking and remediations for network configuration vulnerabilities. Ansible Automation Platform is simple, powerful and agentless!
Continuing the network automation adventure:
Want to try Ansible Automation Platform in your own environment?
We offer an Ansible Automation Platform trial.
Interested in developing human-readable automation with Ansible?
DO007 is a free self-paced online video course to expand your automation skills. We also provide short self-paced, interactive labs with Ansible Automation Platform 2.
Want to learn more about network automation use cases?
Check out additional information about network automation use cases; you are also invited to try Ansible Automation Platform for a free trial.
Additional documentation to start can be found here:
執筆者紹介
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit