{"id":25543,"date":"2024-04-25T13:55:11","date_gmt":"2024-04-25T13:55:11","guid":{"rendered":"https:\/\/blog.lacnic.net\/?p=25543"},"modified":"2024-09-23T15:38:43","modified_gmt":"2024-09-23T15:38:43","slug":"a-persistent-threat-critical-vulnerability-in-network-devices","status":"publish","type":"post","link":"https:\/\/blog.lacnic.net\/en\/a-persistent-threat-critical-vulnerability-in-network-devices\/","title":{"rendered":"A Persistent Threat: Critical Vulnerability in Network Devices"},"content":{"rendered":"\n

By Guillermo Pereyra<\/a>, Security Analyst at LACNIC CSIRT<\/p>\n\n\n\n

<\/a>A known vulnerability<\/h3>\n\n\n\n

In mid-October 2023, CISCO published CVE-2023-20198, a vulnerability that affects the user interface (web UI feature) of Cisco IOS XE software.<\/p>\n\n\n\n

This vulnerability allows gaining unauthorized access to an exposed web interface and execute commands for creating a user.<\/p>\n\n\n\n

In this article, we will discuss how this vulnerability affects the Latin American and Caribbean region, what measures LACNIC CSIRT is taking, and what we can do to fix this problem.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/a>A vulnerability that affects our region<\/h3>\n\n\n\n

At LACNIC CSIRT, we’ve noticed an increase in the number of devices in the region affected by this vulnerability since its publication.<\/p>\n\n\n\n

Data shows that an average of 17 compromised devices have been detected daily over the last five months, as illustrated in the graph below.<\/p>\n\n\n\n

\"\"
Graph #1. Number of compromised network devices over time.<\/figcaption><\/figure>\n\n\n\n

An analysis of the data shows that the problem affects approximately 900 different ASNs. In the following graph, it is interesting to see how the problem is concentrated in just a few ASNs.<\/p>\n\n\n\n

\"\"
Graph #2. Number of compromised devices by ASN based on their assigned IP prefix.<\/figcaption><\/figure>\n\n\n\n

Although updates and fixes have been available for over five months, thousands of network devices are still vulnerable to this problem.<\/p>\n\n\n\n

Actions taken by LACNIC CSIRT<\/p>\n\n\n\n

The LACNIC response team informs organizations with an exposed IOS XE web service that they might be vulnerable.<\/p>\n\n\n\n

We alert them through the MiLACNIC security module so that the organization can identify and mitigate any possible threat that may be occurring on their networks.<\/p>\n\n\n\n

\"\"
Figure 1. Example of the information displayed by MiLACNIC.<\/figcaption><\/figure>\n\n\n\n

<\/a>Detecting and fixing the vulnerability<\/h3>\n\n\n\n

How do I know if my device is vulnerable?<\/p>\n\n\n\n

A device is vulnerable if the web interface of the following IOS XE versions is exposed:<\/p>\n\n\n\n

CPE configuration<\/strong><\/th>Affected version<\/strong> (from)<\/strong><\/th>Affected version (up to and including)<\/strong><\/th><\/tr><\/thead>
  cpe:2.3:o:cisco:ios_xe:*:*:*:*: *:*:*:*<\/td>16.12<\/td>16.12.10a<\/td><\/tr>
  cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*<\/td>17.3<\/td>17.3.8a<\/td><\/tr>
  cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*<\/td>17.6<\/td>17.6.6a<\/td><\/tr>
  cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*<\/td>17.9<\/td>17.9.4a<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Has my device been attacked?<\/p>\n\n\n\n

The verifications recommended by TALOS, CISCO’s security team, include:<\/p>\n\n\n\n

    \n
  1. Check the system logs for the presence of any message that includes the “user” field associated with an unknown user.<\/li>\n<\/ol>\n\n\n\n

    %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line<\/p>\n\n\n\n

    %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023<\/p>\n\n\n\n