On Wednesday, Cisco issued a warning to its customers, urging them to address a zero-day vulnerability in IOS and IOS XE systems, which can be exploited by malicious users.
Cisco: Prompts administrators to patch
This Medium Severity Vulnerability (CVE-2023-20109), uncovered by Cisco’s Advanced Security Initiatives Group (ASIG) at XB, arises due to inadequate feature verification in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature.
Fortunately, the safety requirements demand that potential intruders possess the necessary license, either as a central server administrator or a group member. This suggests that attackers must have already breached the environment, as they observe encrypted and authenticated communication between the central server and group members.
Cisco, in a security advisory published on Wednesday, clarified that an attacker could exploit this vulnerability through either compromising an installed key server or altering a team member’s configuration to direct it to an attacker-controlled key server.
A successful exploit could enable an attacker to execute arbitrary code, achieve full control over the impacted system, or trigger the system to reload, leading to a denial of service (DoS) situation.
The zero-day flaw impacts all Cisco products using a vulnerable version of IOS or IOS XE software with the GDOI protocol or G-IKEv2 enabled. Meraki products and systems running IOS XR and NX-OS software are immune to attacks exploiting CVE-2023-20109 vulnerabilities.
Despite the necessity for a broad access environment and a specific vulnerability to exploit this opportunity, Cisco’s advisory revealed that malicious users have already initiated attacks targeting this vulnerability.
The advisory stated, “Cisco detected an attempt to exploit the GET VPN feature and conducted a thorough code review. This vulnerability came to our attention during our internal investigation.”
“Cisco emphasizes the importance of customers upgrading to a stable software release to address this vulnerability.”
On Wednesday, Cisco unveiled security updates addressing a critical vulnerability in the Catalyst SD-WAN Manager’s Security Markup Language (SAML) APIs. This vulnerability, if successfully exploited, could enable unauthorized attackers to gain remote access to the application as arbitrary users.