Managing the Recent Cisco Vulnerabilities from a NIST 800-53 Security Controls Perspective

Onto the actual vulnerabilities: CVE-2023-20198 and CVE-2023-20273 are two vulnerabilities in the Cisco IOS XE Software Web UI, the combined exploitation of which allowed for the creation of a local user and elevation of privileges to root to implant malicious code, files, etc. Software patches have been provided for these vulnerabilities, and Cisco recommends disabling the Web UI if at all possible. However, disabling a key feature on which many customers depend should be a temporary solution.

Example of IOS 16 XE Web UI Dashboard

Image Credit: Nayarasi

NIST 800-53 Rev. 5 Security Controls for Remediation

STIGs

New STIGs have been added as of October 23, 2023 to assist in the secure configuration of these routers. STIGs can be searched and filtered here, or you can download the Cisco IOS XE Router STIG here. Navigation through the CCI IDs of each entry will demonstrate the applicable NIST 800-53 security controls for your documentation. I include the information below to give my take on some applicable security controls for those not using STIGs to harden their systems. I advise you to consider STIGs for system hardening in your risk management process.

Given this context, here are some relevant NIST 800-53 security controls to mitigate the Cisco vulnerabilities, along with brief implementation guidance:

Access Control (AC)

• AC-2 Account Management: Ensure accounts are managed properly, including establishing, activating, modifying, reviewing, disabling, and removing accounts.
  • Justification: Per the CVE description, the first exploit involves creating a local account, so having controls in place to manage these accounts is a necessity.
  • Implementation: Regularly review and audit user accounts. Remove or disable unnecessary or outdated accounts, especially those with elevated privileges. Account auditing can be performed with Windows Active Directory or monitoring Linux etc/passwd, where Event Viewer and auditd can be used for auditing.
• AC-3 Access Enforcement: Enforce assigned authorizations for controlling access to the system.
  • Implementation: Implement Role-Based Access Control (RBAC) and ensure users have the least privilege necessary to perform their tasks. RBAC can be implemented on Windows through Active Directory Users and Computers, Group Policy Objects; on Linux through etc/group.
• AC-6 Least Privilege: Enforce the least privilege principle, limiting access to only what is necessary.
  • Implementation: Regularly review user roles and permissions. Ensure that users do not have unnecessary privileges. Better yet, implement “check-out” of administrative privileges as needed through tokens and tickets rather than allowing certain users or groups to run as administrator all the time.

Audit and Accountability (AU)

• AU-2 Audit Events: Define the necessary and relevant types of events to be audited.
  • Implementation: Ensure that actions like privilege escalations, account creations, and configuration changes are audited. These rules can be configured in your IDS/IPS (Snort, Suricata) or SIEM/SOAR solutions (Splunk, TheHive).
• AU-6 Audit Review, Analysis, and Reporting: Review and analyze audit records for indications of inappropriate or unusual activity.
  • Implementation: Set up automated tools (SIEM, IDS, IPS) to review and analyze logs for suspicious activities, such as unexpected privilege escalations or unfamiliar user account activities. Cisco provides Snort rules for the malicious activity in their advisory, but you can translate these rules to your IDS/traffic analyzer of choice.

System and Communications Protection (SC)

• SC-7 Boundary Protection: Monitor and control communications at system boundaries to prevent unauthorized transfers.
  • Implementation: Implement firewalls, Intrusion Prevention Systems (IPS), segmentation, and other boundary protection mechanisms to monitor and control data transfers. Disallow connection initiation from the segment where the Cisco web solution is hosted to trusted network segments.

System and Information Integrity (SI)

• SI-3 Malicious Code Protection: Implement protections against malicious code (e.g., viruses, worms, spyware).
  • Implementation: Deploy anti-malware solutions on the system and ensure they are updated regularly. If possible, employ a combination of both signature- and behavior-based detection.
• SI-4 Information System Monitoring: Monitor system events to detect and respond to events indicative of inappropriate or unauthorized activities.
  • Implementation: Implement monitoring tools to alert administrators of potential security incidents, such as unauthorized changes or access attempts. Check out the guidance on AU-6 above.

Incident Response (IR)

• IR-4 Incident Handling: Establish an incident handling capability for security incidents.
  • Implementation: Develop and maintain an incident response plan. Train personnel in handling and responding to security incidents related to the web UI and other components.

Configuration Management (CM)

• CM-6 Configuration Settings: Establish and enforce security configuration settings for the system.
  • Implementation: Harden the system based on industry best practices and regularly review the configuration to ensure it adheres to security guidelines. Disable unnecessary configurations, like the Web UI, if unused.

Identification and Authentication (IA)

• IA-2 Identification and Authentication (Organizational Users): Ensure users or devices are authenticated before establishing a connection.
  • Implementation: Implement strong authentication mechanisms for the web UI, such as multi-factor authentication. 

Vulnerabilities Overview

CVE-2023-20198

Technical Overview:

• This vulnerability allows an attacker to gain initial access to the system by exploiting the web UI feature in Cisco IOS XE Software.
• Upon successful exploitation, the attacker can issue a privilege 15 command to create a local user and password combination, which allows the user to log in with normal user access.
• It has been assigned a high CVSS Score of 10.0, indicating that it’s a critical vulnerability.

Vulnerable Systems:

• Systems running Cisco IOS XE Software with the web UI feature enabled.
• The web UI feature gets enabled through the ip http server or ip http secure-server commands.
• If the configuration contains ip http active-session-modules none, it’s not exploitable over HTTP. If it contains ip http secure-active-session-modules none, it’s not exploitable over HTTPS.

CVE-2023-20273

Technical Overview:

• After gaining access via CVE-2023-20198, the attacker can exploit another component of the web UI feature.
• This vulnerability allows the attacker to leverage the newly created local user to elevate their privileges to root and write an implant to the file system.
• It has been assigned a CVSS Score of 7.2, making it a high-severity vulnerability.

Vulnerable Systems:

• Systems that have already been compromised by CVE-2023-20198.
• Systems running Cisco IOS XE Software with the web UI feature enabled and have the presence of the commands ip http server or ip http secure-server in the global configuration.
• As with the previous CVE, if specific configurations (ip http active-session-modules none or ip http secure-active-session-modules none) are present, the vulnerabilities aren’t exploitable over HTTP or HTTPS, respectively.

In this article, I hope to provide insight into managing the risk posed by these vulnerabilities from the perspective of implementing NIST 800-53 Security Controls. Cisco has already provided a summary of vulnerable and not vulnerable systems, recommendations to mitigate the vulnerabilities, as well as indicators of compromise (IoCs) for systems (read their advisory here). Many of the security controls that I suggest are already industry best practices. I hope you find this article helpful in determining your organization’s risk in face of this vulnerability, and as always, I recommend you assess whether these controls are realistic based on the criticality of the data, the mission of your organization, and your risk appetite.

Closing Thoughts

Regular reviews, monitoring, and timely updates are essential to ensure the system’s security against vulnerabilities. Additionally, working closely with vendors like Cisco to apply patches and updates is crucial.

Though these vulnerabilities may be exploited to the detriment of Cisco customers, this is another sobering reminder for organizations that lack appropriate governance and technical controls to protect against sophisticated threats. Only a combination of controls can help protect against the exploitation of these vulnerabilities. Among many other potentially applicable controls, organizations should focus on access control, auditing, system protection, integrity, incident response, configuration management, and authentication. Regular reviews, monitoring, and timely updates are essential to ensure the system’s security against vulnerabilities. Additionally, working closely with vendors like Cisco to apply patches and updates is crucial.

Cisco recommends that, if systems require HTTP/HTTPS to be enabled, access to those services should be restricted to trusted networks. I am doubtful that this would fully eliminate the threat. If an attacker is able to exploit the vulnerability initially and perform actions with administrative privileges, they have the permissions to move laterally into those trusted segments of the network if they have the skill. For more sophisticated threat actors, the tactical goal is typically to establish longevity in the target network and remain undetected until they are able to accomplish their strategic goal (espionage, financial gain, sabotage, etc). No sophisticated attacker will stop at the initial access point. For organizations that have identified suspicious activity relating to the vulnerability (again, Cisco provides indicators of compromise to look for), I would suggest a full-fledged investigation into the scope of the breach and the levels of persistence, command and control achieved. Cisco will likely publish more guidance as time goes on.

Sources:

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
• https://www.darkreading.com/vulnerabilities-threats/critical-unpatched-cisco-zero-day-bug-active-exploit
• https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities
• https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/
• https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html

BAI offers training in RMF for DoD IT, eMASS, Security Controls Implementation and Assessment, STIGs, Continuous Monitoring, and more! We also offer consulting to assist you in your RMF-specific challenges. If you are thinking, “I am really out of my depth with RMF…” please don’t hesitate to reach out to us and get the help you need!