CVE-2023-20109
Published: 27 September 2023
Summary
CVE-2023-20109 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Cisco Ios. Its CVSS base score is 6.6 (Medium).
Operationally, ranked in the top 29.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software stems from insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols. The flaw, tracked as CVE-2023-20109 with a CVSS score of 6.6, is also associated with CWE-787 and affects devices configured for GET VPN operations.
An authenticated remote attacker who has already obtained administrative control of either a group member or a key server can exploit the issue by compromising an installed key server or redirecting a group member to an attacker-controlled key server. Successful exploitation enables arbitrary code execution with full system control or triggers a device reload resulting in denial of service.
The Cisco Security Advisory at sec.cloudapps.cisco.com provides mitigation guidance and software updates, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation. The current EPSS score of 0.0063 reflects limited but non-zero exploitation probability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-24288
Vulnerability details
A vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker who has administrative control of either a group member or a key server…
more
to execute arbitrary code on an affected device or cause the device to crash. This vulnerability is due to insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. An attacker could exploit this vulnerability by either compromising an installed key server or modifying the configuration of a group member to point to a key server that is controlled by the attacker. A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a denial of service (DoS) condition. For more information, see the Details ["#details"] section of this advisory.
- CWE(s)
- KEV Date Added
- 10 October 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of GDOI and G-IKEv2 protocol attributes, blocking the out-of-bounds write that enables RCE or DoS.
Restricts unauthorized changes to group-member configuration that would redirect it to an attacker-controlled key server.
Requires timely application of vendor patches that eliminate the insufficient attribute validation in the GET VPN implementation.