最后更新于2024年6月14日星期五20:26:34 GMT

10月16日星期一,思科的Talos集团 发表博客 on an active threat campaign exploiting CVE-2023-20198, a “previously unknown” 零日漏洞 在思科IOS XE软件的web UI组件. IOS XE是一个运行在 广泛的思科网络设备, including routers, switches, wireless controllers, access points, and more. Successful exploitation of CVE-2023-20198 allows a remote, 未经身份验证的攻击者在受影响的设备上创建帐户,并使用该帐户获取完整的管理员权限, effectively enabling a complete takeover of the system.

There was no patch for CVE-2023-20198 at time of disclosure (October 17, 2023). Cisco has 已发布的固定版本 从10月22日起,我们将提供一系列解决方案. 正如Cisco Talos在他们的博客中指出的那样, 这个漏洞已经在野外被利用了, 截至10月17日,公共互联网上似乎有大量运行IOS XE的设备. Estimates of internet-exposed devices running IOS XE vary, but the attack surface area does appear to be relatively large; one estimate 暴露的设备数量超过140K.

On October 20, 思科更新了他们关于CVE-2023-20198的建议,以反映他们的团队观察到的攻击链实际上包括两个零日漏洞, 不只是一个:

“攻击者首先利用CVE-2023-20198获得初始访问权限,并发出特权15命令来创建本地用户和密码组合. This allowed the user to log in with normal user access.

The attacker then exploited another component of the web UI feature, 利用新的本地用户将权限提升到root,并将植入写入文件系统. 思科已针对此问题分配了CVE-2023-20273.

CVE-2023-20198 has been assigned a CVSS Score of 10.0.
CVE-2023-20273 has been assigned a CVSS Score of 7.2.

Both of these CVEs are being tracked by CSCwh87343."

其他活动包括部署一个植入程序,允许攻击者在系统级或IOS级执行任意命令. Cisco has an extensive description of the malicious behavior they’ve observed here.

受影响的产品

Cisco’s public advisory on CVE-2023-20198 and CVE-2023-20273 Cisco IOS XE软件在启用web UI特性(UI是通过 ip http server or IP HTTP安全服务器 commands). Cisco does not offer a list of products that definitively run IOS XE, but their IOS XE的产品页面 lists some, including the Catalyst, ASR, and NCS families.

根据建议, customers can determine whether the HTTP Server feature is enabled for a system, 通过登录系统并使用 显示running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the IP HTTP安全服务器 命令. The presence of either command or both 系统配置中的命令表示启用了web UI特性(因此系统容易受到攻击)。.

思科的报告还指出,如果 ip http server command is present and the configuration also contains IP HTTP active-session-modules无,漏洞是 不能通过HTTP利用. If the IP HTTP安全服务器 command is present and the configuration also contains IP HTTP secure-active-session-modules无,漏洞是 不能通过HTTPS利用.

缓解指导

截至10月22日,思科已经做到了 发布了IOS XE的固定版本 that remediate CVE-2023-20198 for a range of platforms across their solution portfolio (e.g.、SDWAN、各种路由器和交换机). 在应用补丁之前,组织应该在紧急情况下禁用面向internet的系统上的web UI (HTTP Server)组件. 组织也应该重新启动他们的设备.

要禁用HTTP Server特性,请使用 无IP HTTP服务器 or 无IP HTTP安全服务器 命令. Per 思科的咨询, if both the HTTP server and HTTPS server are in use, 这两个命令都是必需的 关闭HTTP Server特性. 组织还应避免将web UI和管理服务暴露给internet或不受信任的网络.

禁用IOS XE系统的web UI组件和限制互联网暴露可以降低来自已知攻击媒介的风险, but notably does not 降低可能已经成功部署在易受攻击系统上的植入物的风险. Rapid7建议在可能的情况下调用事件响应程序,优先寻找思科共享的危害指标, listed below.

思科观察到攻击者的行为

Cisco Talos博客上的CVE-2023-21098有一个 植入物的全面分析 they’ve observed being deployed as part of this threat campaign. We strongly recommend reading the analysis in its entirety. 植入被保存在文件路径下 /usr/binos/conf/nginx-conf/cisco_service.conf that contains two variable strings made up of hexadecimal characters. While the implant is not persistent (a device reboot will remove it), 攻击者创建的本地用户帐号为.

Cisco observed the threat actor exploiting CVE-2021-1435, 哪些是在2021年修补的, to install the implant after gaining access to a device vulnerable to CVE-2023-20198. Talos还指出,他们已经看到针对CVE-2021-1435打了完整补丁的设备通过一种尚未确定的机制成功安装了植入物.”

rapid7观察到攻击者的行为

到目前为止,Rapid7 MDR已经在客户环境中发现了少量利用CVE-2023-20198的实例, 包括同一天同一客户环境中的多个利用实例. 我们的团队根据现有证据确定的泄露指标表明,攻击者使用了与Cisco Talos描述的技术类似的技术.

Rapid7 identified variations of techniques in the course of our investigations. The first malicious activity performed on the system post-exploitation was associated with the admin account. 以下是该日志文件的摘录:
%SYS-5-CONFIG_P:通过进程SEP_webui_wsma_http从控制台以管理员身份在vty1上编程配置
威胁行为者创建了本地帐户 cisco_support 使用命令 username cisco_support privilege 15 algorithm-type sha256 secret * 在用户上下文中 admin. The threat actor then authenticated to the system using this newly created cisco_support account and began running several commands, including the following:

显示running-config
显示语音寄存器全局
显示拨号语音摘要
show platform
显示流量监视器
show platform
显示平台软件iox-service
显示iox-service
dir bootflash:
dir flash:
clear logging
没有用户名cisco_support
无用户名cisco_tac_admin
无用户名cisco_sys_manager

Upon completion of these commands, the threat actor deleted the account cisco_support. The accounts cisco_tac_admin and cisco_sys_manager 也被删除了, 但Rapid7没有在可用日志中观察到与这些帐户相关的帐户创建命令.

威胁行为者还执行了 clear logging command to clear system logging and cover their tracks. Rapid7 identified logging for the second exploitation on October 12, 2023, but could not review logs for the first intrusion because the logs had been cleared.

Evidence indicated that the last action performed by the threat actor relates to a file named aaa:
%WEBUI-6-INSTALL_OPERATION_INFO: User: cisco_support, Install Operation: ADD aaa

When comparing the two intrusions that occurred within the same environment on October 12, there are slight differences in observed techniques. For example, log clearing was only performed within the first exploitation, while the second exploitation included additional directory viewing commands.

妥协指标

The Cisco Talos博客 CVE-2023-20198指示组织在运行IOS XE的设备上寻找无法解释的或新创建的用户. 识别Talos观察到的植入物是否存在的一种方法是对设备运行以下命令, where the "DEVICEIP” portion is a placeholder for the IP address of the device to check:

curl -k -X POST "http[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"

上面的命令将向设备的Web UI执行一个请求,以查看植入物是否存在. 如果请求返回一个十六进制字符串, 植入程序已经存在(注意,在植入程序部署后,攻击者必须重新启动web服务器,才能使植入程序激活)。. Per Cisco’s blog, 如果设备只配置了不安全的web接口,则上述检查应该使用HTTP方案.

其他Cisco ioc

  • 5.149.249[.]74
  • 154.53.56[.]231

Usernames:

  • cisco_tac_admin
  • cisco_support

Cisco Talos还建议执行以下检查,以确定设备是否已被入侵:

检查系统日志,看是否有以下日志消息出现在“user”可能出现的地方 cisco_tac_admin, cisco_support or any configured, local user that is unknown to the network administrator:

  • %SYS-5-CONFIG_P:通过进程SEP_webui_wsma_http从控制台作为在线用户以编程方式配置

  • %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC 2023年10月11日星期三

Note: The %SYS-5-CONFIG_P message will be present for each instance that a user has accessed the web UI. The indicator to look for is new or unknown usernames present in the message.

组织还应该检查系统日志中的以下消息,其中filename是一个未知的文件名,与预期的文件安装操作无关:

  • %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename

Rapid7客户

As of October 17, InsightVM和expose客户可以通过身份验证漏洞检查来评估他们对CVE-2023-20198的暴露,该漏洞检查查找启用了web UI的Cisco IOS XE设备. 我们预计在10月24日发布此检查的更新,以反映固定版本的可用性.

通过Rapid7扩展的检测规则库,insighttidr和Rapid7 MDR客户拥有现有的检测覆盖范围. 部署了以下检测规则,并通过思科提供的IP地址对与此漏洞相关的活动发出警报:

  • 网络流-当前事件相关的IP观察
  • Suspicious Connection - CURRENT_EVENTS Related IP Observed

Updates

2023年10月17日: Updated with rapid7观察到攻击者的行为 and IOCs.

2023年10月23日: Updated to reflect the disclosure of a second 零日漏洞, CVE-2023-20273. 还需要注意的是,思科已经在许多受影响的平台上发布了CVE-2023-20198的补丁. Rapid7预计将在10月24日发布CVE-2023-20198漏洞检查的更新,以检测IOS XE的补丁版本.