Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-20273

Published: 25/10/2023 Updated: 25/01/2024
CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2
VMScore: 0
Subscribe to Ios Xe

Vulnerability Summary

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote malicious user to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the malicious user to inject commands to the underlying operating system with root privileges.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

cisco ios xe

cisco ios_xe

Vendor Advisories

Cisco: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software We are updating the list of fixed releases and adding the Software Checker Fix information can be found in the Fixed Software section of this advisory Our investigation has determined that the actors exploited two ...
Check Point Security Alerts: Cisco IOS XE Privilege Escalation (CVE-2023-20273)
Check Point Reference: CPAI-2023-1112 Date Published: 12 Nov 2023 Severity: High ...

Exploits

Exploit DB: Cisco IOX XE Unauthenticated Remote Code Execution
This Metasploit module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the web UI exposed An attacker can execute a payload with root privileges The vulnerable IOS XE versions are 1611, 1612, 1613, 1621, 1622, 1631, 1632, 1633, 1631a, 1634, 1635, 1635b, 163 ...
Exploit DB: Cisco IOX XE Unauthenticated RCE Chain
This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed An attacker can execute a payload with root privileges The vulnerable IOS XE versions are: 1611, 1612, 1613, 1621, 1622, 1631, 1632, 1633, 1631a, 1634, ...
Exploit DB: Cisco IOX XE unauthenticated OS command execution
This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed An attacker can execute arbitrary OS commands with root privileges This module leverages CVE-2023-20198 to create a new admin user, then authenticating as this user, CVE-202 ...

Metasploit Modules

Cisco IOX XE Unauthenticated RCE Chain

This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g, 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s, 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s, 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5, 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10, 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v, 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z, 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7, 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a, 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a, 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3, 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a, 17.11.99SW

msf > use exploit/linux/misc/cisco_ios_xe_rce
msf exploit(cisco_ios_xe_rce) > show targets
    ...targets...
msf exploit(cisco_ios_xe_rce) > set TARGET < target-id >
msf exploit(cisco_ios_xe_rce) > show options
    ...show and set options...
msf exploit(cisco_ios_xe_rce) > exploit
Cisco IOX XE unauthenticated OS command execution

This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges. This module leverages CVE-2023-20198 to create a new admin user, then authenticating as this user, CVE-2023-20273 is leveraged for OS command injection. The output of the command is written to a file and read back via the webserver. Finally the output file is deleted and the admin user is removed. The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g, 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s, 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s, 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5, 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10, 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v, 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z, 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7, 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a, 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a, 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3, 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a, 17.11.99SW

msf > use auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273
msf auxiliary(cisco_ios_xe_os_exec_cve_2023_20273) > show actions
    ...actions...
msf auxiliary(cisco_ios_xe_os_exec_cve_2023_20273) > set ACTION < action-name >
msf auxiliary(cisco_ios_xe_os_exec_cve_2023_20273) > show options
    ...show and set options...
msf auxiliary(cisco_ios_xe_os_exec_cve_2023_20273) > run

Github Repositories

https://github.com/Shadow0ps/CVE-2023-20198-Scanner

This is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-20198 and CVE-2023-20273

Cisco IOS XE Device Scanner User Guide for CVE-2023-20198-Scanner This is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-20198 and CVE-2023-20273 This Python script checks for compromised Cisco IOS XE devices by making HTTP and HTTPS requests It supports multiple ways to specify target IPs and provides threadi

https://github.com/cadencejames/Check-HttpServerStatus

Checks the status of 'ip http server' and 'ip http secure-server' on Cisco networking devices

Check-HttpServerStatus Introduction This script is in direct response to recent Cisco Vulnerabilities (CVE-2023-20198 and CVE-2023-20273) in which the http server on Cisco IOS-XE devices can be used to gain unathorized access This script will check the status of the http server so you can identify which devices will need to be configured Notes The included 'inventorycsv

https://github.com/smokeintheshell/CVE-2023-20198

CVE-2023-20198 Exploit PoC

CVE-2023-20198 Exploit PoC for CVE-2023-20198 Description CVE-2023-20198 is characterized by improper path validation to bypass Nginx filtering to reach the webui_wsma_http web endpoint without requiring authentication By bypassing authentication to the endpoint, an attacker can execute arbitrary Cisco IOS commands or issue configuration changes with Privilege 15 privileges C

https://github.com/smokeintheshell/CVE-2023-20273

CVE-2023-20273 Exploit PoC

CVE-2023-20273 CVE-2023-20273 Exploit PoC

Recent Articles

Cisco fixes critical IOS XE bug but malware crew way ahead of them
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Initial fall in infected devices indicates evolution, not extinction, of attack code

After a six-day wait, Cisco started rolling out a patch for a critical bug that miscreants had exploited to install implants in thousands of devices. Alas, it seems to have been largely useless. The flaw in the networking giant's IOS XE software, which allowed criminals to hijack thousands of Cisco switches and routers, first came to light last Monday. On Friday, Cisco said it hoped to have a fix ready on Sunday, ruining the weekend for many admins.  The good news: Cisco kept its Sunday pro...

Read more...

References

NVD-CWE-noinfohttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4zhttps://nvd.nist.govhttps://www.theregister.co.uk/2023/10/23/cisco_iosxe_fix/https://github.com/Shadow0ps/CVE-2023-20198-Scannerhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2006-4304CVE-2024-4240arbitrary CVE-2024-31601XSSCVE-2023-20198CVE-2024-4256CVE-2024-3342encryption
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook