Cisco Vulnerability Exposes Laughable Risks for Hackers

Cisco has issued a warning to its clients regarding a zero-day vulnerability in its iOS software (Internetwork Operating System) and iOS XE (Internetwork Operationing System Extended Edition), which has already become a target for hackers. The vulnerability, known as cve-2023-20109 (CVSS: 6.6), was discovered by the Cisco Advanced Security Initiatives Group (asig) and is due to insufficient testing of attributes in the Group Domain of Interpretation (GDOI) and G-IKEV2 functions of Get VPN.

Cisco IOS and iOS XE are operating systems developed by Cisco Systems for use on its network equipment, such as routers and switches. These operating systems control network functions and facilitate communication between devices on the network.

In order for the vulnerability to be exploited, potential attackers must have administrative control over the key server or a member of the group. This means that cybercriminals must already have access to the system, as all communication between the key server and group members is encrypted and authenticated.

According to Cisco, hackers can exploit the vulnerability by compromising the installed server or altering the configuration of a group member to indicate a server controlled by the attacker. Successfully exploiting the vulnerability would allow the attacker to execute arbitrary code and gain full control over the affected system or cause a system reboot, resulting in a denial of service (DOS).

This zero-day vulnerability affects all Cisco products running a vulnerable version of iOS or iOS XE with the GDOI or G-IKEV2 protocol. However, products such as MERAKI and those running on iOS XR and NX-SS are not vulnerable to this exploit.

Furthermore, Cisco has also detected attempts to exploit the Get VPN function and has conducted a technical analysis of the function’s code. As a precaution, Cisco strongly advises its clients to update to the corrected software version in order to eliminate the vulnerability.

/Reports, release notes, official announcements.