A recent vulnerability has been discovered in Cisco operating systems that could potentially allow attackers to gain full control of affected devices, execute arbitrary code, and cause denial of service (DoS) conditions. This vulnerability, known as CVE-2023-20109, has already been targeted in at least one instance of exploitation in the wild.
On September 27, Cisco released its latest semi-annual Security Advisory Bundled Publication, which outlined eight vulnerabilities affecting its IOS and IOS XE operating systems. Among these vulnerabilities was CVE-2023-20109, which received a severity score of 6.6 (“Medium”). According to Cisco’s security advisory, there has already been an attempted exploitation of this vulnerability in real-world attacks.
In response to these vulnerabilities, Cisco has released software updates to address the issue. A spokesperson for the company emphasized the importance of implementing the provided mitigation strategies and referred users to the specific security advisory for more information.
While this vulnerability should not be ignored, experts urge against panicking. Tim Silverline, the vice president of security at Gluware, notes that organizations should follow Cisco’s mitigation strategies but emphasizes that the danger posed by the vulnerability is not substantial. He explains that if a bad actor already has full access to the target environment, then the organization is already compromised, and this vulnerability is simply one potential method for exploiting that access and escalating privileges.
The specific vulnerability, CVE-2023-20109, affects Cisco’s Group Encrypted Transport VPN (GET VPN) feature. GET VPN is designed to work within unicast or multicast environments by establishing a rotating set of encryption keys shared within a group. This allows any group member to encrypt or decrypt data without requiring a direct point-to-point connection. In the case of an attacker who has already infiltrated a private network environment using GET VPN, there are two potential avenues of exploitation. The attacker can compromise the key server and manipulate packets sent to group members, or they can create and install their own key server, redirecting group members to communicate with it instead of the legitimate key server.
This discovery of vulnerabilities comes at an unfortunate time for Cisco. On the same day as the release of the semi-annual security publication, US and Japanese authorities issued a joint warning about Chinese state-sponsored Advanced Persistent Threats (APTs) that were exploiting vulnerabilities in Cisco firmware to target large multinational organizations. However, experts like Tim Silverline stress that this is not indicative of a new trend but rather a continuation of cyberattack trends witnessed in recent years. Attackers are becoming more advanced and quickly capitalizing on vulnerabilities in various technologies. Edge technologies, in particular, present an appealing starting point for attackers as they expose corporate networks to the broader internet while sometimes lacking the robust security protections of server counterparts.
To address these common issues, Silverline suggests several best practices for organizations. Network devices should never be initiating outbound communications, and network automation capabilities can ensure that configurations are verified and implemented across the network to prevent attacks. Additionally, audit capabilities can alert network teams of any changes or policy violations in network devices, allowing for quick reversion to previous configurations.
While the discovery of vulnerabilities is a concern, organizations can protect themselves by promptly applying software updates and implementing recommended mitigation strategies. By remaining vigilant and following best practices, organizations can minimize their risk in an increasingly sophisticated threat landscape.