Cisco IOS XE Web UI Authentication Bypass (CVE-2023-20198)
Description
A critical authentication bypass vulnerability exists in the web-based management interface of Cisco IOS XE Software. This flaw allows remote attackers to circumvent authentication controls by sending specially crafted HTTP requests to the Web UI, granting them unauthorized administrative access to affected devices without requiring valid credentials.
Remediation
1. Immediately disable the HTTP Server feature on internet-facing interfaces if not required using the command 'no ip http server' and 'no ip http secure-server' in global configuration mode.
2. Apply the latest Cisco IOS XE software updates that address CVE-2023-20198 as published in the Cisco Security Advisory.
3. Implement access control lists (ACLs) to restrict Web UI access to trusted management networks only.
4. Monitor system logs for indicators of compromise, including unexpected user account creation or privilege level changes.
5. Review and remove any unauthorized local user accounts, particularly those with privilege level 15.
6. After patching, verify the fix by checking for the absence of the implant using Cisco's provided detection scripts.