10 CVE-2023-20198

CISA Kev Catalog Exploit
 

Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
https://nvd.nist.gov/vuln/detail/CVE-2023-20198

Categories

CWE-420 : Unprotected Alternate Channel
The product protects a primary channel, but it does not use the same level of protection for an alternate channel. Identify all alternate channels and use the same protection mechanisms that are used for the primary channels. When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS). DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote. Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database. User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing. FTP service can not be disabled even when other access controls would require it. Windows named pipe created without authentication/access control, allowing configuration modification. Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.

CWE-NVD-Other

References

134c704f-9b21-4f2e-91b3-4a467353bcc0

af854a3a-2127-422b-91ae-364da2661108

psirt@cisco.com


 

CPE

cpe start end
Configuration 1
AND
   cpe:2.3:o:rockwellautomation:allen-bradley_stratix_5200_firmware:*:*:*:*:*:*:*:* < 17.12.02
  Running on/with
  cpe:2.3:h:rockwellautomation:allen-bradley_stratix_5200:-:*:*:*:*:*:*:*
Configuration 2
AND
   cpe:2.3:o:rockwellautomation:allen-bradley_stratix_5800_firmware:*:*:*:*:*:*:*:* < 17.12.02
  Running on/with
  cpe:2.3:h:rockwellautomation:allen-bradley_stratix_5800:-:*:*:*:*:*:*:*
Configuration 3
cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* >= 16.12 < 16.12.10a
cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* >= 17.3 < 17.3.8a
cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* >= 17.6 < 17.6.6a
cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* >= 17.9 < 17.9.4a

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
https://github.com/Atea-Redteam/CVE-2023-20198
https://github.com/JoyGhoshs/CVE-2023-20198
https://github.com/Tounsi007/CVE-2023-20198
https://github.com/reket99/Cisco_CVE-2023-20198
https://github.com/iveresk/cve-2023-20198
https://github.com/sohaibeb/CVE-2023-20198
https://github.com/Pushkarup/CVE-2023-20198
https://github.com/RevoltSecurities/CVE-2023-20198
https://github.com/smokeintheshell/CVE-2023-20198
https://github.com/sanan2004/CVE-2023-20198
https://github.com/XiaomingX/cve-2023-20198-poc
https://github.com/G4sul1n/Cisco-IOS-XE-CVE-2023-20198

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry