Hello guys, hope you’re doing great!
As you might have noticed there has been a new PSIRT
released today (October 16 2023) for the IOS-XE devices; the PSIRT has been identified with he ID
CVE-2023-20198
and bug ID CSCwh87343.
Symptoms
In summary the bug can allow any remote and unathenticated attacker to create an priviledge account level 15 into your IOS-XE devices, then by using the new account the attacker can gain admin access to your devices.
How to mitigate
At the moment there aren’t any normal or escalation version to mitigate the issue so Cisco is recommending in general to disable the HTTP server (HTTP/HTTPS). For the IOS-XE switches this should be simple enough with the following commands:
no ip http server
no ip
http secure-server
copy
running-configuration startup-configuration
Wireless
Now, while the switches we are more used to managed via CLI I do understand than disabling HTTP/HTTPS access to the C9800 WLC might mean a bigger deal than with the switches you should consider the following:
- Does any management
interface is reachable via the internet?
- Do we have any way to
filter traffic from the internet to reach the ports for HTTP/HTTPS into
our management vlan?
- How likely is from an
attacker to gain access to the management vlan and reach the IOS-XE
devices from there
Ultimately the recommendation remains to disable the HTTP server out of the WLC but the decision to do so if you feel your environment is secure enough to run the server until a hot patch is released you can take the risk accounting for it.
There is not expected timeline for a fix to come out, taking this into account in my expert opinion I would try to configure anything that needs to be configured and disable the server, only enabling it in case there is a extreme case that you need to access the GUI re-enable it for a limited time and disable it again once is done.
On the case of your wireless C9800 in case you are using web auth remember to use the following command too so you don't break the process.
parameter-map type webauth global
webauth-http-enable
One more thing, about DNAC
Remember you can always access to the monitoring part of the controller and have even more insight via DNAC assurance. So, as long as you’re not planning to do any config changes you should be ok.
Update from Oct 24rd 2023
A new version has been released for most of the IOS-XE devices which includes the C9800, the version 17.9.4a has the hot fix for this vulnerability. Now, it does not come w/o a price, this version does not let you install the AP service packs from the 17.9.4 which fix other vulnerabilities that were published on September.
I took a bit more time to update to investigate a little and there is a SMU patch for the 17.9.4 that also fixes the vulnerability already available in cisco.com dowload for all the platforms. I suggest you that if you are going to install a patch go with this option.
Unfortunately, this only works on the 17.9 train and the fix is still pending to be publish for other train versions.
I'll keep you posted!
Thanks for reading
Dan
No comments:
Post a Comment