Loading

Stratix® 5800 and 5200 vulnerable to Cisco IOS XE Web UI Privilege Escalation (Active Exploit)

Severity:
Critical
Advisory ID:
PN1653
公開日:
October 18, 2023
最終更新日:
December 10, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
はい
Corrected:
はい
Workaround:
いいえ
CVE IDs
CVE-2023-20198
ダウンロード
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
概要
Stratix® 5800 & 5200 vulnerable to Cisco IOS XE Web UI Privilege Escalation (Active Exploit)

Published Date: 10/17/2023
Last updated:  02/14/2024
Revision Number: 2.0
Revision History: Updated Corrected in firmware revision
CVSS Score: 10/10

Rockwell Automation is aware of an actively exploited zero-day vulnerability affecting the Stratix® 5800 and the newly released Stratix® 5200 product. This vulnerability was reported by Cisco on October 16, 2023 and additional information can be found in their original disclosure. As of the time of publication, no patch is available for this vulnerability and multiple cases of active exploitation have been observed.  While Rockwell Automation has no evidence of active exploitation against the Stratix® product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer.  This advisory will be updated, as remediation steps become available.

REVISION 1.1 UPDATE

Since publication of the original disclosure, the exploit code has become publicly available. Availability of exploit code reduces the technical barriers for threat actors to target the affected devices.  Rockwell Automation has no evidence of active exploitation against the Stratix® product line currently.  This advisory has been updated to include specific steps to take to create access control measures utilizing the Web UI.  Rockwell Automation strongly encourages customers to follow the mitigation guidelines.

REVISION 2.0 UPDATE

Rockwell Automation has released a software update that remediates the vulnerabilities in the affected products. We strongly recommend customers update to the corrected firmware revision as soon as possible.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First known in firmware revision

Corrected in Firmware Revision

Stratix® 5200, 5800

All versions running Cisco IOS XE Software with the Web UI feature enabled

17.12.02

VULNERABILITY DETAILS

CVE-2023-20198 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system.

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 10/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

CVE-2023-20273 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability could allow an authenticated, remote threat actor to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. A threat actor could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the threat actor to inject commands to the underlying operating system with root privileges.  

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 7.2/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

Mitigations and Workarounds

Rockwell strongly encourages customers to follow guidance disabling Stratix® HTTP servers on all internet-facing systems.

  • To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
  • Cisco Talos has provided Indicators of Compromise and Snort rules that can be found here.

REVISION 1.1 UPDATE

  • Access Control Lists should be enabled to only allow specific IP addresses to access the Web UI of the device.  Detailed instructions on how to create the Access Control List is in QA67053.
  • When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.

ADDITIONAL RESOURCES

  • CVE-2023-20198 JSON
  • CVE-2023-20273 JSON
  • Cisco CSAF File
Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left ロックウェル・オートメーションのホーム
  2. Chevron LeftChevron Left Trust & Security
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
を続行するには、クッキーの設定を更新してください.
この機能には、お客様の利便性を向上させるためにクッキーが必要です。これらのクッキーを許可するように設定を更新してください:
  • ソーシャルメディア・クッキー
  • 機能性クッキー
  • パフォーマンスクッキー
  • マーケティングクッキー
  • 全てのクッキー
いつでも設定を更新することができます。詳しくは{0}をご覧ください プライバシーポリシー
CloseClose