In the implementation of the Web-ELUSE used on the physical and virtual devices of Cisco, equipped with the Cisco IOS XE operating system, a critical vulnerability (CVE-2023-20198) has been revealed, allowing unauthorized access to the system with maximum privileges without authentication, if the network port through which the Web interface operates is accessible. The danger of this vulnerability is further compounded by the fact that attackers have been exploiting it to create additional administrator accounts named “Cisco_tac_admin” and “Cisco_support”, as well as to remotely execute commands on the affected devices.
Despite the recommendation to only enable access to the Web interface for selected hosts or the local network in order to ensure proper security, many administrators continue to allow connections from the global network. According to data from the SHODAN service, over 140,000 potentially vulnerable devices have been identified on the global network. Additionally, the Cert organization has already reported 35,000 successful attacks on Cisco devices, resulting in the installation of a malicious implant.
Prior to the release of a fix to address the vulnerability, it is recommended to disable the HTTP and HTTPS servers on the affected devices using the “No IP HTTP SERVER” and “No IP HTTP SECURE-SERVER” commands. In order to verify the presence of the malicious implant, execute the following request:
curl -x post https://ip-device/webui/logoutconfirm.html?Logon_hash=1
If compromised, this request will return an 18-character hash. Additionally, administrators can analyze the device’s logs for any suspicious connections or perform operations to install additional files. To remove the implant, a device restart is sufficient; however