I want to provide an update as there is no longer and issue withthew VPN tunnel. It turns out my config was changed after being hacked. I was able to solve the issue with the VPN tunnel by just cleaning up the configs and trying to secure the router more with ACLS and other things and most importantly upating the IOS with the version that fixed the bug. Please be aware of this issue if youre running the IOS mentioned in the bug.
Here's a very critical update and then I'm going to close this post. It turned out to not be an issue with my configuration. In my prior post I mentioned that a "webui" user was created and I know I didn't. I'm posting the result of the Cisco CLI Analyzer. Please pay attention if you are running earlier versions of Cisco IOS XE images because this will definitely impact your environment. My devices were exploited and the hackers created VPN tunnels rerouting my traffic.
IOS-XE System Diagnostics
Diagnostic Checks: 4055
Nov 25th 2023 4:19:43 pm (2 hours ago)
1 Danger 2 Warning 3 Info
This device is showing evidence of encountering CSCwh87343: Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
SYMPTOMS:
Our investigation has determined that the actors exploited two previously unknown issues.
The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access.
The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue.
CVE-2023-20198 has been assigned a CVSS Score of 10.0.
CVE-2023-20273 has been assigned a CVSS Score of 7.2.
Both of these CVEs are being tracked by CSCwh87343.
For steps to close the attack vector for these vulnerabilities, see the Recommendations section of this advisory.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
CONDITIONS:
Please refer to the Security Advisory.
MITIGATION:
Workaround:
Please refer to the Security Advisory.
ADDITIONAL INFORMATION:
Please refer to the Security Advisory.
CSCwh87343
EVIDENCE:
N/A
Cisco IOS XE Software, Version 17.09.02a
...
ip http secure-server
...
Nov 25 15:59:26: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as ehaylett on vty5
Nov 25 15:59:26: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as ehaylett on vty5
Nov 25 15:59:26: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as ehaylett on vty5
This device is susceptible to CSCwh87343: Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
This device is showing evidence of encountering CSCwh60107: In the show tech file, "enable secret" does not get hidden.
