Skip to content

Cisco has disclosed a serious vulnerability, CVE-2023-20109, affecting IOS and IOS XE software that requires prompt action.

What’s Impacted:

  • IOS and IOS XE software running the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols are vulnerable.
  • Successful exploitation enables arbitrary code execution and denial of service.
  • Cisco has observed attacks attempting to leverage this vulnerability.

The Vulnerability Details:

The vulnerability arises from inadequate attribute validation within the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. While the severity is medium, it’s crucial to note that successfully exploiting this flaw requires potential attackers to have admin control over a key server or a group member. In other words, they must have infiltrated the environment. All communication between the key server and group members is encrypted and authenticated, making it challenging to exploit.

The Potential Consequences:

If this vulnerability is exploited successfully, it could allow attackers to execute arbitrary code and gain complete control of the affected system or cause it to reload, leading to a denial of service (DoS) condition.

Affected Products:

This zero-day bug impacts all Cisco products running a vulnerable IOS or IOS XE software version with the enabled GDOI or G-IKEv2 protocol. However, Meraki products and those running IOS XR and NX-OS software are not exposed to these attacks.

In-the-Wild Exploitation:

Despite the significant access required to exploit this vulnerability, threat actors have already begun targeting it in attacks. Cisco discovered attempted exploitation of the GET VPN feature during their internal investigation.

Immediate Action Required:

Cisco strongly recommends that customers upgrade to a fixed software release to address this vulnerability. Your systems’ security and integrity are at stake, and timely action is essential.

Additional Security Patch:

In addition to this critical vulnerability, Cisco has also released security patches for a critical vulnerability in the Security Assertion Markup Language (SAML) APIs of Catalyst SD-WAN Manager network management software. This vulnerability could enable unauthenticated attackers to gain unauthorised access to the application remotely.

We urge everyone to take this threat seriously and act immediately to secure your systems. Ignoring this warning could have severe consequences for your organisation’s security.

Related Links