On October 16, 2023 Cisco disclosed an authentication bypass, CVE-2023-20198, affecting Cisco IOS XE. The disclosure reported that the vulnerability had been exploited in the wild to help install implants on affected switches and routers. Additionally, Cisco shared a simple technique to determine if an IOS XE device had an active implant on it. The implant responds with an 18-character hexadecimal string when a specific HTTP POST is sent to the system:
$ curl -X POST http://192.168.1.1/webui/logoutconfirm.html?logon_hash=1 1a80b7389ccd0a5dab
Cisco buried the lede by not mentioning thousands of internet-facing IOS XE systems have been implanted. VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.
VulnCheck has released the scanner used to find implanted systems on the internet.
$ ./implant-scanner -rhost 192.168.1.1 -rport 80 -a -v -c | grep “implant-id” time=2023-10-17T05:32:29.522-04:00 level=SUCCESS msg=Found implant-id=1a80b7389ccd0a5dab rhost=2192.168.1.1 rport=80 ssl=false
If your organization uses an IOS XE system, it's imperative that you determine if your systems have been compromised and take appropriate action once implants have been discovered. While a patch is not yet available, you can protect your organization by disabling the web interface and removing all management interfaces from the internet immediately.