New Cisco IOS Zero-Day Delivers a Double Punch

A vulnerability affecting Cisco operating systems could enable attackers to take full control of affected devices, execute arbitrary code, and cause reloads that trigger denial of service (DoS) conditions. And at least one attempt at exploitation has already occurred in the wild.

On Sept. 27, Cisco released its latest semi-annual Security Advisory Bundled Publication. The publication detailed eight vulnerabilities affecting its IOS and IOS XE operating systems, among them CVE-2023-20109, an out-of-bounds write issue which earned a 6.6 "Medium" severity score. According to Cisco's security advisory, CVE-2023-20109 has already been the object of at least one attempted exploitation in the wild.

In a statement to Dark Reading, a Cisco spokesperson acknowledged the vulnerabilities. "Cisco has released software updates to address these vulnerabilities. Please refer to the specific security advisory for additional detail," the spokesperson wrote.

To Tim Silverline, vice president of security at Gluware, this vulnerability shouldn't be ignored, but it's also no reason to panic.

"Organizations should implement the mitigation strategies proposed by Cisco, but the danger here is not substantial. If the bad actor has full access to the target environment, then you are already compromised and this is just one way in which they could exploit those permissions to move laterally and escalate privileges," he says.

The Flaw in Cisco's VPN

CVE-2023-20109 affects Cisco's VPN feature, Group Encrypted Transport VPN (GET VPN). GET VPN works within unicast or multicast environments by establishing a rotating set of encryption keys, shared within a group, where any group member can encrypt or decrypt data without need for a direct point-to-point connection.

Should an attacker have already infiltrated a private network environment of this sort, they could exploit it in one of two ways. They can either compromise the key server and alter packets sent to group members, or they can build and install their own key server and reconfigure group members to communicate with it instead of the true key server.

A Bad Day for Cisco

On the very same day of the semi-annual security publication, US and Japanese authorities issued a joint warning about a Chinese state APT rewriting Cisco firmware in attacks against large, multinational organizations.

"This is not indicative of any new trend," Silverline states, for those of us more inclined to coincidences or conspiracies. Like any major vendor, Cisco will always have new vulnerabilities, "it just so happens that we've had two events in as many days."

But this is a continuation of cybertrends seen over the last several years, Silverline adds. "Attacks are becoming more advanced, they are being capitalized on quickly," he says. Edge technologies, in particular, are an attacker's ideal starting point, exposing corporate networks to the broader Web, while sometimes lacking the robust security protections of their server counterparts.

Silverline suggests a number of ways organizations can address common issues. "As a best practice, network devices should never be sending outbound communications. Once this is discovered, network automation capabilities can ensure that configurations are verified and implemented across the network to prevent bad actors from executing the attack," he says. "Similarly, audit capabilities can alert network teams when any change or violation of policies takes place across your network devices so that they can quickly revert the device to the previous config."