Zero-Day Alert: CVE-2023-20109 – Cisco GET VPN Out-of-Bounds Write Vulnerability

A new vulnerability has been discovered in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software. This vulnerability, CVE-2023-20109, could allow an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash.

At the heart of the issue is an out-of-bounds write vulnerability within the GET VPN feature of Cisco’s IOS Software and IOS XE Software. In layman’s terms? A clever attacker, with administrative control over certain components, can not only introduce arbitrary code into an affected device but also crash it at will.

This vulnerability arises due to inadequate validation within the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. It’s akin to a castle guard who doesn’t check the credentials of a visitor rigorously, allowing potential adversaries to slip through.

An attacker’s point of entry could be through:

1. Compromising an existing key server: This would be equivalent to befriending the castle’s gatekeeper and then manipulating them to gain unauthorized access.
2. Building and setting up their own key server: A more sophisticated approach, this would be akin to an adversary setting up a false lighthouse, guiding ships astray.

Should an attacker successfully exploit this loophole, they would effectively gain unfettered access to the system. They could unleash arbitrary code, seizing control of the device, or induce a system crash, rendering services unavailable—a classic denial of service (DoS) attack.

If your Cisco device runs on a vulnerable release of IOS Software or IOS XE Software with the GDOI or G-IKEv2 protocol enabled, it might be at risk. The good news is that there’s a straightforward way to check. By logging into your device and using the command `show running-config | include crypto gdoi|gkm group`, you can quickly ascertain the status.

The output would look something like:

Router# show running-config | include crypto gdoi|gkm group

crypto gdoi group group1

Router#

If you see an output similar to the one above, it means the device has the GDOI protocol configured.

Two primary exploitation methods have been identified, both demanding prior access to the environment:

1. Compromising an Existing Key Server: Attacking an already set-up key server and tweaking the packets it dispatches.
2. Creating a Rogue Key Server: This requires the attacker to have the right credentials and the ability to communicate and manipulate the packets.

“Cisco discovered attempted exploitation of the GET VPN feature and conducted a technical code review of the feature. This vulnerability was discovered during our internal investigation,” the company wrote.

Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability. There are no workarounds that address the CVE-2023-20109 vulnerability.