CVE-2023-20109

What is Cisco GET VPN?

Group Encrypted Transport VPN (GET VPN) is a Cisco IOS and IOS XE feature that provides group-based encryption for IP traffic across shared WAN infrastructure — typically MPLS networks used by enterprises and service providers. Unlike traditional point-to-point VPN tunnels, GET VPN distributes encryption keys to a group of routers using the Group Domain of Interpretation (GDOI) protocol: a central Key Server (KS) registers Group Members (GM), distributes traffic encryption keys and security policy to the group, and manages key refresh. GET VPN enables encrypted any-to-any communication within the group without requiring individual tunnels between every pair of sites, making it suitable for hub-and-spoke MPLS WAN topologies. The GDOI protocol exchanges messages between Key Servers and Group Members over UDP.

Overview

CVE-2023-20109 is an out-of-bounds write vulnerability (CWE-787) in the GET VPN feature of Cisco IOS and IOS XE that allows an attacker who has administrative control of a GET VPN group member or key server to send crafted GDOI messages to a target device, potentially triggering an out-of-bounds write that could execute malicious code or crash the device. Cisco published advisory cisco-sa-getvpn-rce-g8qR68sx on September 27, 2023. CISA added CVE-2023-20109 to the KEV catalog on October 10, 2023.

The CVSS score (AV:N/AC:H/PR:H) reflects the significant preconditions: high complexity (requires a specific GET VPN configuration and message timing) and high privilege (requires administrative compromise of either a group member or key server router). Despite these constraints, the full CIA:H/H/H impact reflects that successful exploitation fully compromises the targeted IOS device.

Affected Versions

Consult the Cisco advisory cisco-sa-getvpn-rce-g8qR68sx for specific version-by-version fixed release details — Cisco IOS has a complex versioning scheme with multiple trains.

Technical Details

The out-of-bounds write (CWE-787) occurs in IOS/IOS XE's GDOI message parsing code. GDOI messages carry Key Server data — encryption keys, security associations, and policy parameters — that Group Members parse and apply. An out-of-bounds write arises when:

1. A GDOI message contains crafted field values that the parser writes into a heap or stack buffer
2. Insufficient bounds checking allows the write to extend beyond the allocated buffer into adjacent memory
3. The overwritten adjacent memory contains a function pointer, return address, or critical control structure that can be manipulated for code execution

The exploit preconditions reflect the GET VPN threat model:

• Compromised Group Member — an attacker who has gained administrative control of any GM in the GET VPN group can send crafted GDOI registrations or re-key messages to the Key Server, potentially targeting it with the out-of-bounds write
• Compromised Key Server — an attacker controlling a KS can send crafted GDOI key distribution messages to all registered GMs, potentially compromising multiple routers in the group simultaneously

The AC:H (high complexity) constraint reflects that exploiting the out-of-bounds write reliably requires specific memory layout conditions or precise message timing rather than a simple single-packet trigger.

Discovery

Cisco published CVE-2023-20109 in their September 27, 2023 advisory, noting that the organization was aware of attempts to exploit the vulnerability in the wild. The two-week gap between Cisco's advisory and CISA KEV addition (October 10) is consistent with CISA confirming active exploitation after Cisco's initial disclosure through threat intelligence collection.

Exploitation Context

GET VPN is a specialized feature used in large enterprise MPLS WAN environments. Exploitation of CVE-2023-20109 requires an attacker who has already compromised network infrastructure — either a group member router or the key server. This positions it as a post-compromise lateral movement or network persistence technique rather than an initial access vector:

• An attacker who compromises one network device in a GET VPN group can potentially compromise all devices in the same group (if controlling the KS) or the KS itself (if controlling a GM with specific message capabilities)
• Compromised core network infrastructure is difficult to detect and provides persistent access for traffic interception, routing manipulation, and lateral movement to connected network segments

The October 2023 KEV addition confirms that sophisticated threat actors targeting network infrastructure — a pattern consistent with nation-state and advanced persistent threat activity targeting telecommunications and enterprise WAN infrastructure — weaponized this vulnerability.

Remediation

1. Upgrade Cisco IOS/IOS XE to a fixed release — consult Cisco advisory cisco-sa-getvpn-rce-g8qR68sx for the specific fixed release train for your IOS version; apply via standard IOS software upgrade procedures.
2. Audit GET VPN group member and key server access — ensure all routers participating in GET VPN groups have strong management credentials, no unauthorized admin accounts, and restricted management plane access (TACACS+/RADIUS-controlled).
3. Restrict GDOI traffic — GDOI uses UDP port 848; configure infrastructure ACLs to ensure GDOI messages can only originate from known authorized Group Members and Key Servers.
4. Monitor for unauthorized GET VPN group registrations — unexpected new group member registrations or re-key events in the GDOI audit log may indicate a compromised device attempting to exploit CVE-2023-20109.
5. Review network device management plane hardening — Cisco's Network Foundation Protection (NFP) guidelines recommend restricting management access (SSH only), deploying control plane policing (CoPP), and using AAA for all administrative access — reducing the risk of an initial management compromise that enables CVE-2023-20109 exploitation.