Cisco warns of attempted exploitation of zero-day in VPN software

Cisco has discovered that hackers are attempting to exploit a vulnerability affecting one of its VPN products.

The tech giant published several advisories last week about vulnerabilities, but experts honed in on one affecting the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software.

The vulnerability, tagged as CVE-2023-20109, could allow a hacker to take actions on an affected device or cause the device to crash. It carries a CVSS severity score of 6.6 out of 10 and was announced Sept. 27.

“A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a denial of service (DoS) condition,” the company said, adding that the vulnerability “can only be exploited in one of two ways” and “both ways would require previous infiltration of the environment.”

There are no workarounds for the vulnerability other than the patches provided, Cisco said.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released its own warning urging companies to install the patches.

Several cybersecurity experts said that while the vulnerability was serious, a hacker would already need to be deep in an organization’s systems to exploit it — making it likely the bug would be used for those looking to escalate their access privileges in an already-compromised system.

Tim Silverline, vice president of network automation company Gluware, argued that the danger is “not substantial” because if a bad actor has full access to a target environment, then the organization is already compromised and this is just one way attackers could move laterally.

Critical Start’s Callie Guenther compared it to someone having the keys to a house, where the person could either ransack the place or lock the doors and block anyone from entering.

“The issue here is that there’s a flaw in how the VPN feature, meant to secure communications, validates certain attributes. If an attacker can exploit this flaw, by tricking the system or having control over a specific server, they could potentially take complete control of the device or shut it down, causing disruptions,” Guenther said.

While the flaw is hard to exploit, Viakoo’s John Gallagher noted that if done properly, hackers would gain full control of a router. This week, cybersecurity officials in the U.S. and Japan warned that Chinese government hackers were targeting routers made by Cisco and others in espionage attacks.

“Many organizations have poor physical security control (think of tailgating incidents) where a threat actor could gain physical access to the target environment,” Gallagher said. “Without question this vulnerability is serious and both actions to physically secure the target environment and remediate the vulnerability should be taken.”