In a recent development, it has been revealed that unidentified threat actors made an attempt to exploit a zero-day vulnerability in Cisco’s Group Encrypted Transport VPN software. This flaw could potentially enable the attacker to gain complete control of the targeted system. Cisco, a leading technology company, issued a security advisory on Wednesday, shedding light on the out-of-bounds write vulnerability identified as CVE-2023-20109. The vulnerability affects certain versions of Cisco IOS Software and Cisco IOS XE software that have the Group Domain of Interpretation (GDOI) or G-IKEv2 (Group Internet Key Exchange Version 2) protocol enabled. However, it is important to note that other Cisco products such as IOS XR software, Meraki products, and NX-OS software are not vulnerable to this specific flaw.
The Group Encrypted Transport VPN, or GET VPN, is a mechanism used to encrypt various types of traffic, including unicast and multicast, over private networks. In response to the potential threat posed by this vulnerability, Cisco has strongly advised its users to upgrade to the fixed version of the software. The company has observed an increase in malicious activities while auditing the affected software, compelling them to address the issue promptly.
Cisco discovered attempted exploitation of the GET VPN feature during an internal investigation and subsequently conducted a technical code review, leading to the discovery of the aforementioned vulnerability. CVE-2023-20109 has been assigned a moderate Common Vulnerability Scoring System (CVSS) score of 6.6. Successful exploitation of this vulnerability would grant a remote attacker the ability to execute arbitrary code on the targeted device. However, the impact of this flaw is mitigated to some extent due to certain prerequisites. To exploit the vulnerability, threat actors would need to gain administrative control over either a group member or a key server.
Cisco believes that there are two potential methods through which this vulnerability could be exploited. The first technique requires the attacker to compromise an existing server to modify the protocols. Additionally, the attacker could establish their own key server and reconfigure the group member to communicate with the server under their control. In both cases, the threat actor would require administrative privileges to successfully exploit the flaw.
To assist users in identifying whether their devices are vulnerable or not, Cisco has provided guidelines. Moreover, it is important to note that there are no workarounds available to mitigate this flaw. Cisco has already released software fixes and is urging its customers to upgrade to the latest version to ensure their systems are protected against this vulnerability.
Interestingly, this is the second zero-day vulnerability in Cisco’s software to be targeted in September. Earlier this month, the Akira ransomware group attempted to exploit a different zero-day vulnerability that affected the remote access VPN features of Cisco’s Adaptive Security Appliance and Firepower Threat Defense Software.
The increasing targeting of VPN technology by threat actors, particularly nation-state groups, has become a notable trend since the outbreak of the COVID-19 pandemic. As organizations worldwide shifted to remote work, VPNs became a critical component of their infrastructure, attracting the attention of hackers. Consequently, both known vulnerabilities and zero-day flaws have been exploited, impacting various vendors including Cisco, Fortinet, and Pulse Secure.
In conclusion, the attempted exploitation of the zero-day vulnerability in Cisco’s Group Encrypted Transport VPN software raises concerns about the security of VPN technologies. It highlights the need for organizations to remain vigilant, promptly apply software updates, and adopt comprehensive security measures to protect their networks from potential threats.