CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
-
A vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash.
This vulnerability is due to insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. An attacker could exploit this vulnerability by either compromising an installed key server or modifying the configuration of a group member to point to a key server that is controlled by the attacker. A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a denial of service (DoS) condition. For more information, see the Details section of this advisory.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-getvpn-rce-g8qR68sxThis advisory is part of the September 2023 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.
-
Vulnerable Products
At the time of publication, this vulnerability affected Cisco products if they were running a vulnerable release of Cisco IOS Software or Cisco IOS XE Software and had the GDOI or G-IKEv2 protocol enabled.
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
Determine the Device Configuration
To determine whether a device is configured with the GDOI or G-IKEv2 protocol, log in to the device and use the show running-config | include crypto gdoi|gkm group command in the CLI.
The following example shows the output of the command for a device that is running Cisco IOS XE Software and is configured with the GDOI protocol:
Router# show running-config | include crypto gdoi|gkm group
crypto gdoi group group1
Router#Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- IOS XR Software
- Meraki products
- NX-OS Software
-
Cisco GET VPN is a set of features that are necessary to secure IP multicast group traffic or unicast traffic over a private WAN that originates on or flows through a Cisco IOS device. GET VPN combines the group key management protocol with IPsec encryption to provide users with an efficient method to secure IP multicast or unicast traffic.
GDOI uses Internet Key Exchange version 1 (IKEv1). G-IKEv2, which replaces GDOI, implements the Internet Key Exchange version 2 (IKEv2) protocol, thereby allowing GET VPN to derive the benefits of IKEv2.
The GDOI and G-IKEv2 protocols operate between a group member and a group controller or key server, which establishes security associations among authorized group members.
Cisco believes this vulnerability can only be exploited in one of two ways. Both ways would require previous infiltration of the environment because communication between the group member and the key server happens over a mutually authenticated and authorized encrypted session. The two ways are as follows:
- The attacker compromises the existing key server and has the ability to modify the GDOI or G-IKEv2 packets that the key server sends to the group member.
- The attacker builds and installs their own key server and reconfigures the group member to communicate with that attacker-controlled key server. Exploitation in this manner requires that the following be true:
- The attacker logs in to the group member as an authenticated administrative user who has the permissions to reconfigure the group member to point to the controlled key server.
- The controlled key server has the correct pre-shared key (PSK) and policies to communicate back to the reconfigured group member.
- The controlled key server has the ability to modify the GDOI or G-IKEv2 packets that the key server sends to the group member.
-
There are no workarounds that address this vulnerability.
-
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker. This tool identifies any Cisco security advisories that impact a specific software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities that are described in all the advisories that the Software Checker identifies (“Combined First Fixed”).
To use the tool, go to the Cisco Software Checker page and follow the instructions. Alternatively, use the following form to determine whether a release is affected by any Cisco Security Advisory. To use the form, follow these steps:
- Choose which advisories the tool will search—only this advisory, only advisories with a Critical or High Security Impact Rating (SIR), or all advisories.
- Enter a release number—for example, 15.9(3)M2 or 17.3.3.
- Click Check.
-
Cisco discovered attempted exploitation of the GET VPN feature and conducted a technical code review of the feature. This vulnerability was discovered during our internal investigation. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.
-
This vulnerability was discovered by X. B. of the Cisco Advanced Security Initiatives Group (ASIG).
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial public release. — Final 2023-SEP-27
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.