topic Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability in Wireless

CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Thomas Obbekaer Thomsen — Tue, 17 Oct 2023 14:53:45 GMT

This seems bad. - "I'm fuzzy on the whole good/bad thing. What do you mean, "bad"? "........

LWA, and basically also CWA, uses the webservice of the 9800.

Should we all just shut down our guest networks until a workaround / patch can be found ?

Currently that is what Im thinking.

Can anyone shed some light on my concern ?

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Mark Elsen — Tue, 17 Oct 2023 14:58:50 GMT

>...Can anyone shed some light on my concern ?
- The advised strategy for security issues with Cisco products , is : use the recommended software version first , for the 9800 platforms that would be 17.9.4 , if the particular security problem is detected again and depending on business need -> contact TAC ,

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Thomas Obbekaer Thomsen — Tue, 17 Oct 2023 15:05:14 GMT

So what you are saying is "this is fine" ? (insert "this is fine meme" here).

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Mark Elsen — Tue, 17 Oct 2023 15:26:07 GMT

- As far as can recall my mind I am 'just saying' : the opposite ,

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Mark Elsen — Tue, 17 Oct 2023 15:52:56 GMT

- FYI : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh87343

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Yasuhiro Ikuta — Wed, 18 Oct 2023 04:37:23 GMT

Looking at BugsearchTool, known affected releases include 17.6.5 and 17.3.3, but does it also affect 17.12.1?
I don't know how to try this vulnerability CVE-2023-20198.

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

RoadRunner4k — Wed, 18 Oct 2023 05:50:48 GMT

Would be nice to know if the recommended releases are fixed from this CVE 🙂 Lets us know Thomas if you hear something.

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Finn Rud Laursen — Wed, 18 Oct 2023 07:15:20 GMT

Not a particularly concrete answer to Thomas.
It would be nice to know if enabled central web auth on the WLC contributes to security vulnerabilities or not.

/Finn

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Finn Rud Laursen — Wed, 18 Oct 2023 08:46:02 GMT

And of course also local web auth 😉

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Thomas Obbekaer Thomsen — Wed, 18 Oct 2023 12:42:11 GMT

Havent heard anything additional yet.

But this being a 10.0 ... I mean .. thats bad ...

And the silence from Cisco worries me.

So Im right now recommending my customers to not use LWA or CWA as a precaution.

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Thomas Obbekaer Thomsen — Wed, 18 Oct 2023 12:44:43 GMT

Yep that would be really nice to know.

CWA uses some part of the webservice I know (because it does not work if you disable http / https on the 9800), but is this short usage of the webservice for CWA an attack vector ? We just dont know, and Cisco seems awfully quiet 😕

For now, Im recommending customers to not use CWA or LWA, just in case, since this vulnerability has been proven "in the wild".

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Thomas Obbekaer Thomsen — Wed, 18 Oct 2023 12:47:40 GMT

the CVE basically says all IOS-XE products with the webservice enabled.

And there are no "fixes", so there is a very big possibility that all IOS-XE softwares are affected.

The only recommendation is also just to turn of http and https until a patch can be made available.

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Mark Elsen — Wed, 18 Oct 2023 13:04:07 GMT

Ref : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
>...If the ip http server command is present and the configuration also contains ip http active-session-modules none, the vulnerability is not exploitable over HTTP.
If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Thomas Obbekaer Thomsen — Wed, 18 Oct 2023 13:39:21 GMT

Yes that makes perfect sense, that telling the config that you cannot have any sessions to the webservice makes the exploit not work.

I dont know what scenario you would configure this in. Enable the webservice, but not have it accept any sessions ?

But Im pretty certain (and I have not tested this) that this will also make CWA and LWA not work.

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

r.heitmann — Wed, 18 Oct 2023 14:00:10 GMT

the (obvious) solution is

"no ip http server"
"no ip http secure-server"

i would expect that anyone who doesn't need the HTTP/HTTPS services on a device has long since turned them off.
=> if not, the time has come to do so.

For those who do need the HTTP/HTTPS service, the suggested approach is not possible.

Who could this be?

e.g. operator of an IOS-based CA (Certificate Authority).

For these it would be nice to be able to "harden" HTTP accesses.
=> Allow only specific (e.g. loopback IPs of other routers which are allowed to access the CA) sources to exactly one loopback IP of the CA router.

"ip http access-class" - no "extended ACLs" are possible,
CoPP (Control-Plane Policing)

CoPP uses (extended) ACLs to Classify Traffic.

Approach:

*** this doesn't solve any Authentication-Issue, but limits the exposure ***
3 Classes (for this purpose, others possible)
Class (A) - HTTP/HTTPs traffic which is allowed (correct source-IPs, correct destination-IPs - and ports)
Class (B) - all other HTTP/HTTPs traffic
Class (C) - the remaining (class-default) traffic.

Works fine here.

ip access-list extended ACL_HTTP_LOOP permit tcp any host <LOOPBACK-IP for CA> eq www permit tcp any host <LOOPBACK-IP for CA> eq 443 class-map match-all CM_HTTP_LOOP match access-group name ACL_HTTP_LOOP ip access-list extended ACL_HTTP permit tcp any any eq www permit tcp any any eq 443 class-map match-all CM_HTTP match access-group name ACL_HTTP policy-map PM_COPP ! ! "transmit any datarate" = permit ! class CM_HTTP_LOOP police cir 8000 conform-action transmit exceed-action transmit violate-action transmit ! ! "drop any datarate" = deny ! class CM_HTTP police cir 8000 conform-action drop exceed-action drop violate-action drop ! ! add "normal" CoPP-Policies here ! class class-default police cir 8000 conform-action transmit exceed-action transmit violate-action transmit control-plane service-policy input PM_COPP !

CoPP Statistics after "an Attack" - wrong Source-IP or wrong Destination-IP for HTTP:

* get's dropped in Class CM_HTTP

Router# show policy-map control-plane input Control Plane Service-policy input: PM_COPP Class-map: CM_HTTP_LOOP (match-all) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group name ACL_HTTP_LOOP police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 0 packets, 0 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit violated 0 packets, 0 bytes; actions: transmit conformed 0000 bps, exceeded 0000 bps, violated 0000 bps Class-map: CM_HTTP (match-all) 34 packets, 2127 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group name ACL_HTTP police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 34 packets, 2127 bytes; actions: drop exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop conformed 0000 bps, exceeded 0000 bps, violated 0000 bps Class-map: class-default (match-any) 1329 packets, 77200 bytes 5 minute offered rate 2000 bps, drop rate 0000 bps Match: any police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 1329 packets, 77200 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit violated 0 packets, 0 bytes; actions: transmit conformed 2000 bps, exceeded 0000 bps, violated 0000 bps

CoPP Statistics after "allowed HTTP":

* get's permitted in Class "HTTP_LOOP"

! ! Zugriff auf die (erlaubte) Loopback-IP ! Router# show policy-map control-plane input Control Plane Service-policy input: PM_COPP Class-map: CM_HTTP_LOOP (match-all) 467 packets, 44940 bytes 5 minute offered rate 3000 bps, drop rate 0000 bps Match: access-group name ACL_HTTP_LOOP police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 188 packets, 14000 bytes; actions: transmit exceeded 35 packets, 4309 bytes; actions: transmit violated 244 packets, 26631 bytes; actions: transmit conformed 2000 bps, exceeded 1000 bps, violated 2000 bps Class-map: CM_HTTP (match-all) 147 packets, 9477 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group name ACL_HTTP police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 157 packets, 10125 bytes; actions: drop exceeded 0 packets, 0 bytes; actions: drop violated 0 packets, 0 bytes; actions: drop conformed 0000 bps, exceeded 0000 bps, violated 0000 bps Class-map: class-default (match-any) 2744 packets, 159642 bytes 5 minute offered rate 1000 bps, drop rate 0000 bps Match: any police: cir 8000 bps, bc 1500 bytes, be 1500 bytes conformed 2811 packets, 163540 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit violated 0 packets, 0 bytes; actions: transmit conformed 1000 bps, exceeded 0000 bps, violated 0000 bps

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Rich R — Wed, 18 Oct 2023 14:17:43 GMT

Refer to the URLs Marce shared - the bug has recommended mitigations (which should already be standard practice anyway)
Also see https://vulncheck.com/blog/cisco-implants and https://nvd.nist.gov/vuln/detail/CVE-2023-20198 which has some additional links.
As far as I can tell this affects all current versions of released code, nothing fixed available yet but I think they're still checking. You should assume they are all vulnerable.

I think this only affects the admin web interface, but web auth interface should never be accessible to internet anyway if you have configured the WLC correctly. And if you follow standard security guidelines your web admin interface should not be accessible to wireless users and access should be restricted to known authorised IP addresses.

The primary risk is if you have exposed the admin web interface to the internet with unrestricted access - then it's only a matter of time before you're compromised (if not already) unless you take action right away.

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Thomas Obbekaer Thomsen — Wed, 18 Oct 2023 14:15:25 GMT

I completely concur that disabling http / https is the solution if you have (for some reason) the webservice of your IOS-XE device exposed to an , lets call it, "open" network.

I just really want to know, for sure, if this "exposure" also includes 9800 when running CWA. I mean the 9800 does not have an IP interface in the guest network. Buuut, it kinda intercepts the clients request via the webservice anyway (thats why you need it enabled when configuring and using CWA). I just want to knoooowwww !!! 🙂

Im pretty sure LWA is vulnerable because the client gets redirected to a , lets call "loopback", interface in the 9800 for the LWA login page.

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Mark Elsen — Wed, 18 Oct 2023 14:20:02 GMT

- The workaround does not relate to sessions , it prevents the web server from loading additional modules ,

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Thomas Obbekaer Thomsen — Wed, 18 Oct 2023 14:20:24 GMT

But this is what I really want to know .. if its the webservice (no matter if it runs the admin page or a web auth page) that is vulnerabel, then having it "exposed" to an open network (the guest network) is also pretty bad.

Sure, of course we have all protected the admin interface of the device , and surely no-one has anything exposed towards the internet directly. But that open guest network, in a large organization, can be "available" in many places.

And if the webservice can be accessed (not admin, but LWA or CWA) from the guest network for login purposes, and is vulnerabel because of this CVE, it would be disastrous .

Re: CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

r.heitmann — Wed, 18 Oct 2023 14:51:57 GMT

you're right - but it's somehow weird, that a simple

ip http active-session-modules none ip http secure-active-session-modules none

didn't make it to "recommendations" in the Cisco document - Cisco states "workarounds available: no"

... so "disable http" or "restrict access" is all Cisco recommends, if I'm not wrong.