Cisco patches zero-day vulnerability under attack

Unknown threat actors attempted to exploit a zero-day vulnerability in the software for Cisco's Group Encrypted Transport VPN that could allow an attacker to gain full control of the affected system.

Cisco detailed the out of bounds write vulnerability, tracked as CVE-2023-20109, in a security advisory on Wednesday. Affected Cisco products include vulnerable releases of Cisco IOS Software or Cisco IOS XE software that had the Group Domain of Interpretation or G-IKEV2 protocol enabled. Cisco confirmed IOS XR software, Meraki products and NX-OS software are not vulnerable.

Group Encrypted Transport (GET) VPN is used to encrypt any type of traffic, including multicast or unicast, over a private network. Cisco urged users to upgrade to the fixed version of the software after the vendor observed a rise in malicious activity while auditing code.

"Cisco discovered attempted exploitation of the GET VPN feature and conducted a technical code review of the feature. This vulnerability was discovered during our internal investigation," Cisco wrote in the security advisory.

CVE-2023-20109 received a medium CVSS score of 6.6. While successful exploitation could allow a remote attacker to execute arbitrary code on an affected device or cause it to crash, there are caveats that lessen the threat. Cisco said threat actors must obtain administrative control of either a group member or a key server to inflict damage.

"Cisco believes this vulnerability can only be exploited in one of two ways. Both ways would require previous infiltration of the environment because communication between the group member and the key server happens over a mutually authenticated and authorized encrypted session," the advisory read.

The first technique would require the attacker to compromise an existing server to modify the protocols. Additionally, Cisco said an attacker could build and install their own key server and reconfigure the group member to communicate with the attacker-controlled key server. In both scenarios, the threat actor could only exploit the flaw by obtaining administrative privileges.

Cisco provided steps to determine if a device is vulnerable and emphasized that there are no workarounds for the flaw. Software fixes were released, and customers are urged to upgrade to the latest version.

CVE-2023-20109 is the second Cisco zero-day to come under attack in September. Earlier this month, Cisco disclosed the Akira ransomware group attempted to exploit a zero-day vulnerability that affected the remote access VPN features in Cisco's Adaptive Security Appliance and Firepower Threat Defense Software.

Threat actors, and specifically nation-state groups, have increasingly targeted VPN technology since the COVID-19 pandemic when many organizations shifted to remote work. Attacks have exploited both known vulnerabilities and zero days, affecting vendors such as Cisco, Fortinet and Pulse Secure.

Arielle Waldman is a Boston-based reporter covering enterprise security news.