Active Exploitation Discovered in Cisco IOS XE Software, Devices Vulnerable

Cisco is encouraging its partners to review and share its latest advisory about active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software.

The vulnerability, which occurs when the software is exposed to the internet or untrusted networks, affects both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled.

Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.

Web UI is an embedded graphical user interface (GUI)-based system-management tool that provides the ability to provision the system, to simplify system deployment and manageability, and to enhance the user experience. It comes with the default image, so there is no need to enable anything or install any license on the system. Web UI can be used to build configurations, as well as to monitor and troubleshoot the system without command line interface (CLI) expertise.

Discovery of Cisco IOS XE software Exploitation

Cisco Talos published a blog on the vulnerability.

“We discovered early evidence of potentially malicious activity on Sept. 28 when a case was opened with Cisco’s Technical Assistance Center (TAC) that identified unusual behavior on a customer device,” it said. “Upon further investigation, we observed what we have determined to be related activity as early as Sept. 18. The activity included an authorized user creating a local user account under the username ‘cisco_tac_admin’ from a suspicious IP address (5.149.249[.]74). Instances of this activity ended on Oct.1, and we did not observe any other associated behavior at that time other than the suspicious account creation.”

On Oct. 12, Cisco Talos Incident Response (Talos IR) and TAC detected what it later determined to be an additional cluster of related activity that began on that same day.

“In this cluster, an unauthorized user was observed creating a local user account under the name ‘cisco_support’ from a second suspicious IP address (154.53.56[.]231),” it said. “Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters … that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted. In at least one observed case, the server was not restarted so the implant never became active despite being installed.”

The first cluster was possibly the actor’s initial attempt and testing their code, while the October activity appears to show the actor expanding their operation to include establishing persistent access via deployment of the implant.

‘Critical’ Vulnerability

This is a critical vulnerability, and Cisco strongly recommends affected entities immediately implement the steps outlined in its PSIRT advisory.

“We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory,” it said. ”The recommendation that Cisco has provided in its security advisory to disable the HTTP server feature on internet-facing systems is consistent with not only best practices, but also guidance the U.S. government has provided in the past on mitigating risk from internet-exposed management interfaces.”

John Bambenek, principal threat hunter at Netenrich, said network devices have always been a highly sought after target by nation-state actors who wish to engage in espionage activity, and this vulnerability gives that class of an attacker the “perfect tool” to subtly start manipulating network traffic.

Netenrich’s Jon Bambenek

“The fact there isn’t a patch yet makes this issue all the more urgent,” he said. “Admins should take this opportunity to ensure their Cisco IOS devices either disable the Web UI, or only have it accessible from private administrative LANs that are restricted to authorized users.”

Mayuresh Dani, manager of threat research at Qualys, said Cisco has not provided the list of devices affected, “which means that any switch, router or WLC running IOS XE and has the web UI exposed to the internet is vulnerable.”

“Based on my searches using Shodan, there are about 40,000 Cisco devices that have Web UI exposed to the internet,”  he said.