Alerts
Active Exploitation of Cisco Internetworking Operating System eXtended Edition
19 February 2025
There have been reports of active exploitation of vulnerabilities (CVE-2023-20198 and CVE-2023-20273) in unpatched internet-facing Cisco Internetworking Operating System eXtended Edition (IOS XE) software.
Update as of 26 Feb:
Organisations that are affected by the vulnerabilities are advised to adopt the following steps to identify suspicious activity that may be related to the vulnerabilities:
Use the Cisco Software Checker to determine your exposure to vulnerabilities in Cisco IOS and IOS XE Software. The Cisco Software Checker can be accessed at https://sec.cloudapps.cisco.com/security/center/softwarechecker.x
Check the list of local users on affected products and identify any unknown accounts. Pay particular attention to suspicious usernames like "cisco_tac_admin," "cisco_support," and "cisco_sys_manager".
Monitor their network traffic for signs of malicious GRE tunneling traffic within their network using the methods described below.
Look for non-empty or unusually large .bash_history files.
Organisations are also advised to adopt the following steps to prevent suspicious activity that may be related to the vulnerabilities:
Change the login credentials for your Cisco IOS XE. Use a strong password consisting of at least 12 characters with a mix of upper and lower case letters, numbers, and symbols.
Disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses.
After implementing any changes, use the copy running-configuration startup configuration command to save the running-configuration. This will ensure that the changes are not reverted in the event of a system reload.
Conduct comprehensive configuration management (inclusive of auditing), in line with best practices.
Conduct comprehensive authentication/authorisation/command issuance monitoring.
Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity.
Monitor your environment for unusual changes in behaviour or configuration.
Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing).
Where possible, develop NetFlow visibility to identify unusual volumetric changes.
For the full list of detection and prevention measures, please refer to Cisco Talos' research paper: https://blog.talosintelligence.com/salt-typhoon-analysis/
Singapore organisations affected by these vulnerabilities should report to SingCERT if any evidence of compromise is found. A report can be made via our Incident Reporting Form at https://go.gov.sg/singcert-incident-reporting-form
Original alert published on 19 Feb below:
There have been reports of active exploitation of vulnerabilities (CVE-2023-20198 and CVE-2023-20273) in unpatched internet-facing Cisco Internetworking Operating System eXtended Edition (IOS XE) software. CVE2023-20198 has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10.
The vulnerabilities are:
CVE-2023-20198: A privilege escalation vulnerability in the web user interface (UI) feature of Cisco IOS XE, that allows a remote, unauthenticated attacker to create an account with full administrative privileges (privilege level 15).
CVE-2023-20273: A privilege escalation vulnerability that allows attackers to execute arbitrary commands with root privileges.
Both CVE-2023-20198 and CVE-2023-20273 can be chained together to exploit the web UI feature in Cisco IOS XE for initial access before exploiting the privilege escalation vulnerability to gain root privileges. The attackers have been reported to establish Generic Routing Encapsulation (GRE) tunnels on compromised Cisco routers to encapsulate network protocols over IP networks.
These vulnerabilities affect Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.
Users and administrators of affected products are advised to update to the latest versions immediately. For detailed guidance, please refer to Cisco's official advisory: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html
If performing an immediate update is not possible, administrators are advised to disable the HTTP Server feature until affected devices can be upgraded. Administrators can disable the HTTP Server feature by using the no ip http server or no ip http secure-server command in global configuration mode. If both HTTP Server and HTTP Secure Server are in use, then both commands are required to disable the HTTP Server feature.
To limit exposure to these vulnerabilities, administrators are also advised to allow HTTP Server access only from trusted networks. The following example shows how to allow remote access to the HTTP Server from the trusted 192.168.0.0/24 network:
!
ip http access-class 75
ip http secure-server
!
access-list 75 permit 192.168.0.0 0.0.0.255
access-list 75 deny any
!
Administrators are advised to monitor their network traffic for signs of malicious GRE tunneling traffic within their networks:
Unexpected traffic from unusual IP addresses
Uncommon, encapsulated payloads and protocols like RDP or SMB
High data volume in logs can indicate potential data exfiltration
To analyse GRE traffic in Wireshark:
Filter GRE Traffic: Use the display filter GRE.
Analyse the GRE Header: Key fields include the Protocol Type (e.g., 0x0800 for IPv4, 0x86DD for IPv6) and flags/options.
Inspect Encapsulated Payload: Expand the “Encapsulated Protocol” section to review inner packets.
Identify Tunnel Endpoints: Check the outer IP header’s source and destination addresses.
Cross-check with NetFlow: Verify traffic with IP protocol 47 and match outer addresses.
More information is available here:
https://nvd.nist.gov/vuln/detail/cve-2023-20198
https://nvd.nist.gov/vuln/detail/cve-2023-20273
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2023-138
https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices