Ansible can help with the Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

CVE-2023-20198
Reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Overview

Cisco recently published an advisory pertaining to an active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.

Recommendations using Red Hat Ansible Automation Platform

In this blog, I will discuss a simple playbook that can help network admins quickly identify and remediate affected devices. To add additional capabilities for a large production environment, Red Hat Ansible Automation Platform could enhance the playbook run with additional capabilities (ticketing integrations, roles based access, workflow, self service, etc.).

Vulnerable Products

All Cisco IOS-XE based products are potentially at risk. The example playbook is located here.
In the example playbook we will explore its functionality using one of the Cisco Sandbox always-on routers

Determine the HTTP Server Configuration

The following portion of the playbook will determine the HTTP Server Configuration and print the results.
 

Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. The following task will disable http/https server if detected.

 

Indicators of Compromise

To determine whether a system may have been compromised, check the system logs for the presence of any of the following log messages where the user could be cisco_tac_admin, cisco_support or any configured, local user that is unknown to the network administrator. The aforementioned would require additional steps to identify unknown users. 

For now our playbook will just look more generic in the syslogs. If needed, we can build some additional assertions for tasks to refine more afterwards.

Other Considerations

In the event  the web UI service must continue to run on the affected devices Cisco recommends, restricting access to those services to trusted networks by using an access list. In this case, do not use the playbook because the option to use a network ACL is not provided in the example playbook.

Testing in the Devnet Sandbox

Simply use the Cisco Always-On Sandbox to test the example:

1. Log into sandbox router and turn on http/https server

ssh developer@sandbox-iosxe-recomm-1.cisco.com
pass=lastorangerestoreball8876

2. Configure

conf t
ip http server
ip http secure-server

Warning: I returned to the devnet sandbox recently and noticed Cisco had removed privilege level 15. Not sure if this is only temporary due to the vulnerability. As such you may need to point to another lab router or another environment. I ran it again in a different router in my own lab environment.

3. Run the playbook 
The first time you run the playbook, disable the http/https server. There will be no syslog output if the sandbox router wasn’t exploited. These sandbox routers are launched daily with a clean image. I’m using the ansible-navigator below.

(venv) [tdubiel@fedora cisco_compliance_remediation]$ ansible-navigator run https.yml -m stdout -v
PLAY [Mitigate CVE-2023-20198 Critical Vulnerability] **************************
TASK [Check if Web service is running on router] *******************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["ip http server\nip http secure-server"], "stdout_lines": [["ip http server", "ip http secure-server"]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "user_output.stdout_lines[0]": [
        "ip http server",
        "ip http secure-server"
    ]
}
TASK [If needed, disable Web User Interface of Cisco IOS XE] *******************
changed: [sandbox-iosxe-recomm-1.cisco.com] => {"banners": {}, "changed": true, "commands": ["no ip http server", "no ip http secure-server"], "updates": ["no ip http server", "no ip http secure-server"], "warnings": ["To ensure idempotency and correct diff the input configuration lines should be similar to how they appear if present in the running configuration on device"]}
TASK [Determine if exploit exists in syslogs] **********************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["", ""], "stdout_lines": [[""], [""]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "Logging_output.stdout_lines": [
        [
            ""
        ],
        [
            ""
        ]
    ]
}
PLAY RECAP *********************************************************************
sandbox-iosxe-recomm-1.cisco.com : ok=5    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0 

4. Rerun the playbook
This time the third task is skipped. Take a look at the ‘when’ conditional.

PLAY [Mitigate CVE-2023-20198 Critical Vulnerability] **************************
TASK [Check if Web service is running on router] *******************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["no ip http server\nno ip http secure-server"], "stdout_lines": [["no ip http server", "no ip http secure-server"]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "user_output.stdout_lines[0]": [
        "no ip http server",
        "no ip http secure-server"
    ]
}
TASK [Determine if exploit exists in syslogs] **********************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {"changed": false, "stdout": ["", ""], "stdout_lines": [[""], [""]]}
TASK [Print results] ***********************************************************
ok: [sandbox-iosxe-recomm-1.cisco.com] => {
    "Logging_output.stdout_lines": [
        [
            ""
        ],
        [
            ""
        ]
    ]
}
PLAY RECAP *********************************************************************
sandbox-iosxe-recomm-1.cisco.com : ok=4    changed=0    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

Ansible Controller

How would this look in AAP? I’m glad you asked… All you need is a project pointing to the repository with an inventory of router(s) in the AAP controller. Afterwards create a  job-template mapping to the http.yml playbook. I pointed my Ansible controller to a Red Hat lab router ‘rtr1’ and ran the same playbook to disable the http and https services. Please see the AAP Controller job output:

TASK [Print results] ***********************************************************16:42:26
8
ok: [rtr1] => {
9
"user_output.stdout_lines[0]": [
10
"ip http server",
11
"ip http secure-server",
12
" active"
13
]
14
}
15
16
TASK [If needed, disable Web User Interface of Cisco IOS XE] *******************16:42:27
20
changed: [rtr1]
21
22
TASK [Determine if exploit exists in syslogs] **********************************16:42:30
23
ok: [rtr1]
24
25
TASK [Print results] ***********************************************************16:42:31
26
ok: [rtr1] => {
27
"Logging_output.stdout_lines": [
28
[
29
""
30
],
31
[
32
""
33
],
34
[
35
""
36
],
37
[
38
""
39
],
40
[
41
""
42
]
43
]
44
}
45
46
PLAY RECAP *********************************************************************16:42:32
47
rtr1 : ok=5 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

What changed?

Summary

Unfortunately, exploits surface regularly. The good news is that you can mitigate the risk faster, with lower effort using Ansible Automation Platform to automate the checking and remediations for network configuration vulnerabilities. Ansible Automation Platform is simple, powerful and agentless!

Continuing the network automation adventure:

Want to try Ansible Automation Platform in your own environment? 

We offer an Ansible Automation Platform trial.

Interested in developing human-readable automation with Ansible? 

DO007 is a free self-paced online video course to expand your automation skills. We also provide short self-paced, interactive labs with Ansible Automation Platform 2.

Want to learn more about network automation use cases?

Check out additional information about network automation use cases; you are also invited to try Ansible Automation Platform for a free trial. 

Additional documentation to start can be found here: 

• Network automation instructional.
• Network automation for everyone.
• Network automation using Ansible.