On October 16, 2023 Cisco disclosed an authentication bypass, CVE-2023-20198, affecting Cisco IOS XE. The disclosure reported that the vulnerability had been exploited in the wild to help install implants on affected switches and routers. Additionally, Cisco shared a simple technique to determine if an IOS XE device had an active implant on it. The implant responds with an 18-character hexadecimal string when a specific HTTP POST is sent to the system:

$ curl -X POST http://192.168.1.1/webui/logoutconfirm.html?logon_hash=1
1a80b7389ccd0a5dab

Cisco buried the lede by not mentioning thousands of internet-facing IOS XE systems have been implanted. VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.

VulnCheck has released the scanner used to find implanted systems on the internet.

$ ./implant-scanner -rhost 192.168.1.1 -rport 80 -a -v -c | grep “implant-id”
time=2023-10-17T05:32:29.522-04:00 level=SUCCESS msg=Found implant-id=1a80b7389ccd0a5dab rhost=2192.168.1.1 rport=80 ssl=false

If your organization uses an IOS XE system, it's imperative that you determine if your systems have been compromised and take appropriate action once implants have been discovered. While a patch is not yet available, you can protect your organization by disabling the web interface and removing all management interfaces from the internet immediately.

For additional guidance, read Cisco PSIRT’s advisory. Additionally, Cisco Talos wrote an informative blog about discovery of the issue.