cbcvebase.
CVE-2023-20273
published 2023-10-25

CVE-2023-20273: A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root…

PriorityP188high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-10-27
Exploited in the wild
EPSS
89.63%
99.8th percentile
A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.

Affected

378 ranges· showing 25
VendorProductVersion rangeFixed in
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software

Detection & IOCsextracted from sources · hover to see the quote

commandclear logging
commandno username cisco_support
commandno username cisco_tac_admin
commandno username cisco_sys_manager
commandshow running-config | include ip http server|secure|active
  • A second version of the BadCandy implant added a check for the HTTP Authorization header before responding, used to evade detection by curl-based scanning. Absence of a response without an Authorization header on a previously responding device may indicate the updated implant is present.
  • Newly created local user accounts with privilege level 15 persisting after reboots are an indicator of compromise from CVE-2023-20198 exploitation. Look for unexpected usernames such as 'cisco_tac_admin', 'cisco_support', and 'cisco_sys_manager'.
  • The BadCandy implant is non-persistent and removed on reboot, but its presence can be checked via the file path /usr/binos/conf/nginx-conf/cisco_service.conf on the device filesystem.
  • Fox-IT found that the implant on compromised devices was modified to check for an Authorization HTTP header value before responding; use an alternative scanning method (not relying on unauthenticated curl) to detect the updated implant on IOS XE devices with web UI exposed.
  • CVE-2023-20273 is exploitable only when the HTTP Server feature is enabled on the device. Detect exposure by checking for 'ip http server' or 'ip http secure-server' in the running configuration.
  • ·CVE-2023-20273 is only exploitable after CVE-2023-20198 has been used to create a local user account; it requires an authenticated attacker (the newly created user) to perform command injection for root-level implant installation.
  • ·Both CVE-2023-20198 and CVE-2023-20273 are tracked under a single Cisco bug ID (CSCwh87343); patches began rolling out October 22, 2023, with the first fixed release being 17.9.4a.
  • ·The BadCandy implant's 18-character and 40-character hardcoded hex strings are unique per device in most observed cases, suggesting per-device authentication tokens; however, in some cases the same strings were observed across different devices.
  • ·The implant requires a web server restart to become active; in at least one observed case the server was not restarted so the implant never became active despite being installed.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.