<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:o:rockwellautomation:allen-Bradley_stratix_5800_firmware:*:*:*:*:*:*:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3orockwellautomationallen-bradley_stratix_5800_firmware/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3orockwellautomationallen-bradley_stratix_5800_firmware/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco IOS XE Web UI Implant Access via CVE-2023-20198</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-ios-xe-webui-exploit/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-ios-xe-webui-exploit/</guid><description>Exploitation of the Cisco IOS XE Web UI vulnerability (CVE-2023-20198) through crafted POST requests to obtain unauthorized access and maintain persistence on compromised devices.</description><content:encoded><![CDATA[<p>The Cisco IOS XE Software Web Management User Interface vulnerability (CVE-2023-20198) allows a remote attacker to inject code and establish persistent access to a vulnerable system. Public reports indicate active exploitation starting in September 2023, targeting Cisco IOS XE devices running vulnerable versions of the web UI. The vulnerability is triggered by specific crafted HTTP POST requests to the <code>/webui/logoutconfirm.html</code> endpoint. Successful exploitation allows attackers to install an implant, granting them privileged access and control over the device. This poses a significant threat to network infrastructure integrity and availability, as compromised devices can be used for lateral movement, data exfiltration, or denial-of-service attacks. The Talos Intelligence blog and the <code>cisco-ios-xe-implant-scanner</code> tool on Github provide additional context on this campaign.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a vulnerable Cisco IOS XE device with the web UI enabled.</li>
<li>The attacker sends a crafted HTTP POST request to <code>/webui/logoutconfirm.html?logon_hash=*</code> to exploit CVE-2023-20198.</li>
<li>Successful exploitation allows the attacker to inject arbitrary code into the device.</li>
<li>The attacker installs a persistent implant on the compromised device, typically a web shell or reverse shell.</li>
<li>The attacker uses the implant to establish a reverse shell connection to an external command and control (C2) server.</li>
<li>The attacker leverages privileged access gained through the implant to perform reconnaissance on the network.</li>
<li>The attacker moves laterally to other systems within the network, exploiting trust relationships or other vulnerabilities.</li>
<li>The attacker exfiltrates sensitive data or deploys ransomware, achieving their final objective.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2023-20198 can lead to complete compromise of Cisco IOS XE devices, potentially affecting thousands of organizations globally. Attackers can gain privileged access, allowing them to reconfigure devices, intercept network traffic, and pivot to other systems on the network. This can result in data breaches, financial losses, and significant disruption of critical infrastructure. Cisco has released patches to address this vulnerability, but many devices remain unpatched and vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco IOS XE Implant Access Attempt</code> to detect POST requests to the vulnerable endpoint (Web.url).</li>
<li>Inspect network traffic for suspicious POST requests targeting the <code>/webui/logoutconfirm.html?logon_hash=*</code> endpoint (Web.url).</li>
<li>Use a web vulnerability scanner to identify Cisco IOS XE devices vulnerable to CVE-2023-20198.</li>
<li>Apply the latest security patches released by Cisco to address CVE-2023-20198.</li>
<li>Review and harden the web UI access controls on Cisco IOS XE devices, restricting access to authorized users only.</li>
<li>Monitor user-agent strings for unusual or malicious activity associated with web UI access (Web.http_user_agent).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>cisco-ios-xe</category><category>web-ui</category><category>cve-2023-20198</category><category>implant</category></item></channel></rss>