Arbitrary Code Execution Vulnerability in Cisco IOS Software for GET VPN
CVE-2023-20109
Key Information:
- Vendor
- Cisco
- Status
- Vendor
- CVE Published:
- 27 September 2023
Badges
Summary
A vulnerability exists in the Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software due to inadequate validation of attributes within the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols. This weakness allows an authenticated remote attacker with administrative access to either a group member or key server to execute arbitrary code, potentially gaining full control over the affected device or causing it to crash. Attackers may exploit this vulnerability by compromising a key server or misconfiguring a group member to link to a malicious key server, which could also lead to a denial of service (DoS) condition.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Cisco IOS XE Software 3.7.0S
Cisco IOS XE Software 3.7.1S
Cisco IOS XE Software 3.7.2S
Get notified when SecurityVulnerability.io launches alerting ๐
Well keep you posted ๐ง
News Articles
Security AffairsCVE-2023-20109Cisco urges to patch actively exploited IOS 0-day CVE-2023-20109
Cisco released updates for an actively exploited zero-day (CVE-2023-20109) that resides in the GET VPN feature of IOS and IOS XE software
1 year ago
References
CVSS V3.1
Timeline
- ๐ฆ
CISA Reported
- ๐พ
Exploit known to exist
- ๐ฐ
First article discovered by Security Affairs
Vulnerability published
Vulnerability Reserved