Cisco IOS XE Incident Update

Update 30-10-2023 (fast publish)

This is a fast publish. Based on honeypot data from @SI_FalconTeam we can make some analysis:

1. The webshell has an authorisation header is 40 characters long. (it is unknown how this was generated)
2. The user agent in the sample: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
3. The source IP: 192.3.101.11
4. The stages:
   1. Check for webshell
   • If not in place:
     1. Bypass Authentication (CVE-2023-20198
     )
   • 1. Create a local LEVEL 15 User AccountSet IP HTTP/HTTPS SERVER and Enable Local Authentication (AAA)Use this account to conduct a device inventory.
   • Inventory the System
   • Kill the created Level 15 account

In the lab we have attacked HTTP and HTTPS and have been able to get AUTH bypass. (thanks @leak_ix)

Read more “Cisco IOS XE Incident Update” →