Cisco IOS GET VPN Encryption Policy Bypass Vulnerability

A vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS could allow traffic to bypass the configured encryption policy.

The vulnerability is due to the default, implicit policies set in place to permit Group Domain of Interpretation (GDOI) traffic to flow unencrypted to allow the GET VPN group members (GMs) to communicate with the GET VPN key servers (KSs). Only transit or to the device traffic using UDP as the transport protocol and port 848 as either the source or destination will bypass the user-defined encryption policies.

Cisco has confirmed this vulnerability in a security notice; however, software updates are not available.

To exploit this vulnerability the attacker would likely need access to trusted, internal networks in which the targeted device may reside. Depending on the network configuration, such systems are typically placed behind network security devices, such as firewalls.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.