Cisco issued a warning to its customers on Wednesday about a zero-day vulnerability in its IOS and IOS XE software that has been targeted by attackers. The vulnerability was discovered by a member of the Cisco Advanced Security Initiatives Group (ASIG) and is related to the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature.
The vulnerability, identified as CVE-2023-20109, arises from inadequate attribute validation within the GDOI and G-IKEv2 protocols. In order for an attacker to exploit this vulnerability, they would need administrative control over either a key server or a group member, indicating that the attacker would already need to have infiltrated the environment.
According to a security advisory from Cisco, "An attacker could exploit this vulnerability by either compromising an installed key server or modifying the configuration of a group member to point to a key server that is controlled by the attacker." Successful exploitation could allow the attacker to execute arbitrary code and gain full control of the affected system, or cause the system to reload, resulting in a denial of service (DoS) condition.
The zero-day vulnerability affects all Cisco products running a vulnerable version of the IOS or IOS XE software with either the GDOI or G-IKEv2 protocol enabled. Products from Meraki and those running IOS XR and NX-OS software are not vulnerable to attacks using CVE-2023-20109 exploits.
Despite the high level of access required to exploit this vulnerability, Cisco revealed that attackers have already begun to target it. The company discovered attempted exploitation of the GET VPN feature and conducted a technical code review of the feature. The vulnerability was discovered during Cisco's internal investigation.
In addition to the warning, Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability. The company also issued security patches for a critical vulnerability in the Security Assertion Markup Language (SAML) APIs of the Catalyst SD-WAN Manager network management software on Wednesday. Successful exploitation of this vulnerability could enable unauthenticated attackers to remotely gain unauthorized access to the application as an arbitrary user.