Cisco urges admins to fix IOS software zero-day exploited in attacks

Cisco warned customers on Wednesday to patch a zero-day IOS and IOS XE software vulnerability targeted by attackers in the wild.

Discovered by X. B. of the Cisco Advanced Security Initiatives Group (ASIG), this medium-severity security flaw (CVE-2023-20109) stems from inadequate attribute validation within the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature.

Luckily, successful exploitation requirements demand that potential attackers have admin control of either a key server or a group member. This implies that the attackers have already infiltrated the environment, seeing that all communication between the key server and group members is encrypted and authenticated.

"An attacker could exploit this vulnerability by either compromising an installed key server or modifying the configuration of a group member to point to a key server that is controlled by the attacker," Cisco explained in a security advisory published on Wednesday.

"A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a denial of service (DoS) condition."

The zero-day bug impacts all Cisco products running a vulnerable IOS or IOS XE software version with either the GDOI or G-IKEv2 protocol enabled.

Meraki products and those running IOS XR and NX-OS software are not exposed to attacks using CVE-2023-20109 exploits.

In the wild exploitation

Despite the extensive access to the target environment required to exploit this vulnerability successfully, the company revealed in the same advisory that threat actors have already started targeting it in attacks.

"Cisco discovered attempted exploitation of the GET VPN feature and conducted a technical code review of the feature. This vulnerability was discovered during our internal investigation," the advisory reads.

"Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability."

On Wednesday, Cisco also issued security patches for a critical vulnerability in the Security Assertion Markup Language (SAML) APIs of Catalyst SD-WAN Manager network management software.

Successful exploitation would enable unauthenticated attackers to remotely gain unauthorized access to the application as an arbitrary user.