CVE-2023-20109: Cisco Group Encrypted Transport VPN (GET VPN) Vulnerability Allows Attackers to Execute Arbitrary Code and Cause a Denial of Service

A critical vulnerability has been identified in the Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software, with the designation CVE-2023-20109. An authenticated, remote attacker with administrative control of either a group member or a key server can exploit this vulnerability to execute arbitrary code on an affected device, gain full control of the system, or cause the device to crash, leading to a denial of service (DoS) condition.

Details [#details]

The vulnerability arises due to insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. By compromising an installed key server or modifying the configuration of a group member to point to a malicious key server, an attacker can execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a DoS condition.

Exploit Details

To exploit this vulnerability, an attacker must first gain administrative control of either a group member or a key server. Once administrative control is achieved, the attacker can either compromise an installed key server or modify the configuration of a group member to point to a malicious key server controlled by the attacker.

The following code snippet demonstrates how an attacker could modify a group member configuration to point to a malicious key server:

! Attacker-controlled key server
key server hostname malicious-key-server.example.com

! Modify group member configuration
crypto gdoi group example-group
  identity number 12345
  server address ipv4 malicious-key-server.example.com

Affected Products

This vulnerability impacts Cisco IOS Software and Cisco IOS XE Software with support for GET VPN.

Solution

Cisco has released a software update to address the CVE-2023-20109 vulnerability. Customers are advised to apply the necessary updates to their affected devices to mitigate the risk of exploitation.

For detailed information on how to apply the update, please refer to the following link: Cisco IOS Software and Cisco IOS XE Software updates

Original References

- Cisco Security Advisory: CVE-2023-20109
- National Vulnerability Database (NVD): CVE-2023-20109

Conclusion

The CVE-2023-20109 vulnerability presents a significant security risk to organizations using the Cisco GET VPN feature in Cisco IOS Software and Cisco IOS XE Software. By exploiting this vulnerability, attackers can execute arbitrary code, gain full control of an affected system, or cause a denial of service (DoS) condition. It is crucial for administrators to update their devices to protect themselves from potential exploitation.

Timeline

Published on: 09/27/2023 18:15:10 UTC
Last modified on: 10/05/2023 17:39:30 UTC