What Happened?
Cisco has published a security advisory tracking the active exploitation of a new zero-day vulnerability in the Cisco IOS Web UI. This flaw affects all versions of Cisco IOS with the HTTP Server feature enabled. It allows an external, unauthenticated attacker to create a new administrative user account with full administrative privileges (level 15 access). Cisco has reported that they have tracked attacks taking advantage of this vulnerability going back to at least September 18, 2023.
How Bad is This?
The ease of exploitation and scope of this attack have earned this vulnerability a CVSS score of 10, which is the highest severity. Networking devices that are susceptible to this issue include switches, routers, and wireless LAN controllers that utilize Cisco IOS XE and that have the HTTP or HTTPS server enabled and open to the public internet. Once exploited, attackers have full access to the device and can perform any actions a fully-authenticated administrator can. This kind of access has the potential to allow an attacker to perform reconnaissance on network traffic, pivot into internal networks, and perform man-in-the-middle attacks which may also lead to compromised domain user credentials. The most common follow-on activity observed by Cisco has been the deployment of an implant that allows remote execution of malicious commands at the system or IOS level.
What Should I Do?
Considering the CVSS score of this vulnerability and potential impact it may have on an environment, Cisco urges organizations with Cisco IOS Web UI devices exposed to the internet to immediately implement the guidance outlined in their PSIRT advisory. At this moment, there are no known workarounds nor system updates to apply to patch this vulnerability.
Cisco recommends that you take the following steps:
- Disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the
no ip http server
orno ip http secure-server
command in global configuration mode. If both the HTTP server and HTTPS server are in use, then you must use both commands to disable the HTTP Server feature. - If HTTP Server features cannot be disabled, Cisco recommends that you apply access lists to the HTTP Server feature to restrict access from untrusted hosts and networks. They have found this to be an effective mitigation strategy.
- If an implant is confirmed to have been installed, you can reboot the affected device to sever that connection; however, if the attacker still has access to their created account, they can always access the device again and re-implement the implant.
How do I determine whether the HTTP Server feature is enabled?
To determine whether the HTTP Server feature is enabled for a device, access the command line interface and run the following command:
show running-config | include ip http server | secure | active
If ip http server
or ip http secure-server
is returned, then the HTTP Server feature is enabled.
Look for indicators of compromise
If the HTTP Server feature was enabled on one of your devices, look for the following indicators of compromise:
- Any activity from the following IP addresses:
- 5.149.249[.]74
- 154.53.56[.]231
- Any unrecognized or unexplainable new local users created on the affected device.
Note: cisco_tac_admin, cisco_support have been observed in confirmed exploitations. - Any logins or configuration changes made by any unrecognized accounts. You can narrow down your search by reviewing
%SYS-5-CONFIG_P
message logs. These will be present for each instance that a user has accessed the web UI. - Check the system logs for the following message where “filename” is an unknown filename that does not correlate with an expected file installation action:
%WEBUI-6-INSTALL_OPERATION_INFO: User:username,vInstall Operation: ADD filename
- Check systems for implants using the following commands, where “systemip” is the IP address of the Cisco device to check, including:
- Systems configured to use HTTPS:
curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"
- Systems configured to use HTTP:
curl -k -X POST "http://systemip/webui/logoutconfirm.html?logon_hash=1"
As indicated by Cisco, if the request returns a hexadecimal string, the implant is present.
How Blumira Can Help
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment. Blumira is actively working on a detection for QueueJumper for its customers.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for free and connect to your Microsoft 365 environment in minutes to start detecting and mitigating exposure related to Windows vulnerabilities.
- Systems configured to use HTTPS:
Jake Ouellette
Jake is an Incident Detection Engineer at Blumira, where he contributes to research and design efforts to continuously improve the detection, analysis, and disruption capabilities of the Blumira platform.
More from the blog
View All PostsNew Unauthenticated Remote Code Execution Flaw Identified in OpenSSH Server
Read MoreCVE-2024-3400: Palo Alto Vulnerabilities in GlobalProtect Gateway Lead to RCE
Read MoreCVE-2024-3094: xz-utils (liblzma) Backdoor
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.