Loading

Stratix® 5800 and 5200 vulnerable to Cisco IOS XE Web UI Privilege Escalation (Active Exploit)

Severity:
Critical
Advisory ID:
PN1653
Published Date:
October 18, 2023
Last Updated:
December 10, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Yes
Corrected:
Yes
Workaround:
No
CVE IDs
CVE-2023-20198
Downloads
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
Summary
Stratix® 5800 & 5200 vulnerable to Cisco IOS XE Web UI Privilege Escalation (Active Exploit)

Published Date: 10/17/2023
Last updated:  02/14/2024
Revision Number: 2.0
Revision History: Updated Corrected in firmware revision
CVSS Score: 10/10

Rockwell Automation is aware of an actively exploited zero-day vulnerability affecting the Stratix® 5800 and the newly released Stratix® 5200 product. This vulnerability was reported by Cisco on October 16, 2023 and additional information can be found in their original disclosure. As of the time of publication, no patch is available for this vulnerability and multiple cases of active exploitation have been observed.  While Rockwell Automation has no evidence of active exploitation against the Stratix® product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer.  This advisory will be updated, as remediation steps become available.

REVISION 1.1 UPDATE

Since publication of the original disclosure, the exploit code has become publicly available. Availability of exploit code reduces the technical barriers for threat actors to target the affected devices.  Rockwell Automation has no evidence of active exploitation against the Stratix® product line currently.  This advisory has been updated to include specific steps to take to create access control measures utilizing the Web UI.  Rockwell Automation strongly encourages customers to follow the mitigation guidelines.

REVISION 2.0 UPDATE

Rockwell Automation has released a software update that remediates the vulnerabilities in the affected products. We strongly recommend customers update to the corrected firmware revision as soon as possible.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First known in firmware revision

Corrected in Firmware Revision

Stratix® 5200, 5800

All versions running Cisco IOS XE Software with the Web UI feature enabled

17.12.02

VULNERABILITY DETAILS

CVE-2023-20198 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system.

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 10/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

CVE-2023-20273 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability could allow an authenticated, remote threat actor to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. A threat actor could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the threat actor to inject commands to the underlying operating system with root privileges.  

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 7.2/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

Mitigations and Workarounds

Rockwell strongly encourages customers to follow guidance disabling Stratix® HTTP servers on all internet-facing systems.

  • To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
  • Cisco Talos has provided Indicators of Compromise and Snort rules that can be found here.

REVISION 1.1 UPDATE

  • Access Control Lists should be enabled to only allow specific IP addresses to access the Web UI of the device.  Detailed instructions on how to create the Access Control List is in QA67053.
  • When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.

ADDITIONAL RESOURCES

  • CVE-2023-20198 JSON
  • CVE-2023-20273 JSON
  • Cisco CSAF File
Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation Home
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our {0} Privacy Policy
CloseClose