CVE-2023-20198 Software Web UI Privilege Escalation Vulnerability

Thomas Obbekaer Thomsen · ‎10-17-2023

This seems bad. - "I'm fuzzy on the whole good/bad thing. What do you mean, "bad"? "........

LWA, and basically also CWA, uses the webservice of the 9800.

Should we all just shut down our guest networks until a workaround / patch can be found ?

Currently that is what Im thinking.

Can anyone shed some light on my concern ?

marce1000 · ‎10-17-2023

>...Can anyone shed some light on my concern ?
- The advised strategy for security issues with Cisco products , is : use the recommended software version first , for the 9800 platforms that would be 17.9.4 , if the particular security problem is detected again and depending on business need -> contact TAC ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thomas Obbekaer Thomsen · ‎10-17-2023

So what you are saying is "this is fine" ? (insert "this is fine meme" here).

marce1000 · ‎10-17-2023

- As far as can recall my mind I am 'just saying' : the opposite ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

marce1000 · ‎10-17-2023

- FYI : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh87343

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Yasuhiro Ikuta · ‎10-17-2023

Looking at BugsearchTool, known affected releases include 17.6.5 and 17.3.3, but does it also affect 17.12.1?
I don't know how to try this vulnerability CVE-2023-20198.

Thomas Obbekaer Thomsen · ‎10-18-2023

the CVE basically says all IOS-XE products with the webservice enabled.

And there are no "fixes", so there is a very big possibility that all IOS-XE softwares are affected.

The only recommendation is also just to turn of http and https until a patch can be made available.

marce1000 · ‎10-18-2023

Ref : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
>...If the ip http server command is present and the configuration also contains ip http active-session-modules none, the vulnerability is not exploitable over HTTP.
If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thomas Obbekaer Thomsen · ‎10-18-2023

Yes that makes perfect sense, that telling the config that you cannot have any sessions to the webservice makes the exploit not work.

I dont know what scenario you would configure this in. Enable the webservice, but not have it accept any sessions ?

But Im pretty certain (and I have not tested this) that this will also make CWA and LWA not work.

marce1000 · ‎10-18-2023

- The workaround does not relate to sessions , it prevents the web server from loading additional modules ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

r.heitmann · ‎10-19-2023

(this information is useless for WLC users, I apologize)

but disabling the "session-modules" breaks the IOS-CA
- no CRLs can be downloaded afterward
- a "HTTP 502" is returned instead

RoadRunner4k · ‎10-17-2023

Would be nice to know if the recommended releases are fixed from this CVE Lets us know Thomas if you hear something.

Thomas Obbekaer Thomsen · ‎10-18-2023

Havent heard anything additional yet.

But this being a 10.0 ... I mean .. thats bad ...

And the silence from Cisco worries me.

So Im right now recommending my customers to not use LWA or CWA as a precaution.

Rich R · ‎10-19-2023

Definitely no fixed versions - all are affected.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Finn Rud Laursen · ‎10-18-2023

Not a particularly concrete answer to Thomas.
It would be nice to know if enabled central web auth on the WLC contributes to security vulnerabilities or not.

/Finn