피드 구독

CVE-2023-20198
Reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Overview

Cisco recently published an advisory pertaining to an active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.

Recommendations using Red Hat Ansible Automation Platform

In this blog, I will discuss a simple playbook that can help network admins quickly identify and remediate affected devices. To add additional capabilities for a large production environment, Red Hat Ansible Automation Platform could enhance the playbook run with additional capabilities (ticketing integrations, roles based access, workflow, self service, etc.).

Vulnerable Products

All Cisco IOS-XE based products are potentially at risk. The example playbook is located here.
In the example playbook we will explore its functionality using one of the Cisco Sandbox always-on routers

Determine the HTTP Server Configuration

The following portion of the playbook will determine the HTTP Server Configuration and print the results.
 

Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. The following task will disable http/https server if detected.

 

Indicators of Compromise

To determine whether a system may have been compromised, check the system logs for the presence of any of the following log messages where the user could be cisco_tac_admin, cisco_support or any configured, local user that is unknown to the network administrator. The aforementioned would require additional steps to identify unknown users. 

For now our playbook will just look more generic in the syslogs. If needed, we can build some additional assertions for tasks to refine more afterwards.

Other Considerations

In the event  the web UI service must continue to run on the affected devices Cisco recommends, restricting access to those services to trusted networks by using an access list. In this case, do not use the playbook because the option to use a network ACL is not provided in the example playbook.

Testing in the Devnet Sandbox

Simply use the Cisco Always-On Sandbox to test the example:

1. Log into sandbox router and turn on http/https server

ssh developer@sandbox-iosxe-recomm-1.cisco.com
pass=lastorangerestoreball8876

2. Configure

conf t
ip http server
ip http secure-server

Warning: I returned to the devnet sandbox recently and noticed Cisco had removed privilege level 15. Not sure if this is only temporary due to the vulnerability. As such you may need to point to another lab router or another environment. I ran it again in a different router in my own lab environment.

3. Run the playbook 
The first time you run the playbook, disable the http/https server. There will be no syslog output if the sandbox router wasn’t exploited. These sandbox routers are launched daily with a clean image. I’m using the ansible-navigator below.

(venv) [tdubiel@fedora cisco_compliance_remediation]$ ansible-navigator run https.yml -m stdout -v
PLAY [Mitigate CVE-2023-20198 Critical Vulnerability] **************************
TASK [Check if Web service is running on router] *******************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["ip http server\nip http secure-server"], "stdout_lines": [["ip http server", "ip http secure-server"]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "user_output.stdout_lines[0]": [
        "ip http server",
        "ip http secure-server"
    ]
}
TASK [If needed, disable Web User Interface of Cisco IOS XE] *******************
changed: [sandbox-iosxe-recomm-1.cisco.com] => {"banners": {}, "changed": true, "commands": ["no ip http server", "no ip http secure-server"], "updates": ["no ip http server", "no ip http secure-server"], "warnings": ["To ensure idempotency and correct diff the input configuration lines should be similar to how they appear if present in the running configuration on device"]}
TASK [Determine if exploit exists in syslogs] **********************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["", ""], "stdout_lines": [[""], [""]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "Logging_output.stdout_lines": [
        [
            ""
        ],
        [
            ""
        ]
    ]
}
PLAY RECAP *********************************************************************
sandbox-iosxe-recomm-1.cisco.com : ok=5    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0 

4. Rerun the playbook
This time the third task is skipped. Take a look at the ‘when’ conditional.

PLAY [Mitigate CVE-2023-20198 Critical Vulnerability] **************************
TASK [Check if Web service is running on router] *******************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["no ip http server\nno ip http secure-server"], "stdout_lines": [["no ip http server", "no ip http secure-server"]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "user_output.stdout_lines[0]": [
        "no ip http server",
        "no ip http secure-server"
    ]
}
TASK [Determine if exploit exists in syslogs] **********************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["", ""], "stdout_lines": [[""], [""]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "Logging_output.stdout_lines": [
        [
            ""
        ],
        [
            ""
        ]
    ]
}
PLAY RECAP *********************************************************************
sandbox-iosxe-recomm-1.cisco.com : ok=4    changed=0    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

Ansible Controller

How would this look in AAP? I’m glad you asked… All you need is a project pointing to the repository with an inventory of router(s) in the AAP controller. Afterwards create a  job-template mapping to the http.yml playbook. I pointed my Ansible controller to a Red Hat lab router ‘rtr1’ and ran the same playbook to disable the http and https services. Please see the AAP Controller job output:


TASK [Print results] ***********************************************************16:42:26
8
ok: [rtr1] => {
9
"user_output.stdout_lines[0]": [
10
"ip http server",
11
"ip http secure-server",
12
" active"
13
]
14
}
15
16
TASK [If needed, disable Web User Interface of Cisco IOS XE] *******************16:42:27
20
changed: [rtr1]
21
22
TASK [Determine if exploit exists in syslogs] **********************************16:42:30
23
ok: [rtr1]
24
25
TASK [Print results] ***********************************************************16:42:31
26
ok: [rtr1] => {
27
"Logging_output.stdout_lines": [
28
[
29
""
30
],
31
[
32
""
33
],
34
[
35
""
36
],
37
[
38
""
39
],
40
[
41
""
42
]
43
]
44
}
45
46
PLAY RECAP *********************************************************************16:42:32
47
rtr1 : ok=5 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

What changed?

Summary

Unfortunately, exploits surface regularly. The good news is that you can mitigate the risk faster, with lower effort using Ansible Automation Platform to automate the checking and remediations for network configuration vulnerabilities. Ansible Automation Platform is simple, powerful and agentless!

Continuing the network automation adventure:

Want to try Ansible Automation Platform in your own environment? 

We offer an Ansible Automation Platform trial.

Interested in developing human-readable automation with Ansible? 

DO007 is a free self-paced online video course to expand your automation skills. We also provide short self-paced, interactive labs with Ansible Automation Platform 2.

Want to learn more about network automation use cases?

Check out additional information about network automation use cases; you are also invited to try Ansible Automation Platform for a free trial. 

Additional documentation to start can be found here: 


저자 소개

Tony Dubiel is a Product Solution Architect for Red Hat’s Ansible Automation Platform supporting North America Public Sector (NAPs). He is an Air Force veteran with over 25 years of telecommunications and network experience. Tony is passionate about aligning DevOps best practices with network operations. He is currently an active triple CCIE #10844 (DC, R&S, and Voice) and Cisco Devnet Professional certified.
Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

채널별 검색

automation icon

오토메이션

기술, 팀, 인프라를 위한 IT 자동화 최신 동향

AI icon

인공지능

고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트

open hybrid cloud icon

오픈 하이브리드 클라우드

하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요

security icon

보안

환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보

edge icon

엣지 컴퓨팅

엣지에서의 운영을 단순화하는 플랫폼 업데이트

Infrastructure icon

인프라

세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보

application development icon

애플리케이션

복잡한 애플리케이션에 대한 솔루션 더 보기

Original series icon

오리지널 쇼

엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리