Cisco AnyConnect VPN 0-day exploit public available

[German]Cisco hat vor wenigen Stunden eine Zero-Day-Schwachstelle in der Cisco AnyConnect Secure Mobility Client-Software bekannt gegeben. Zudem gibt es einen öffentlich zugänglichem Proof-of-Concept-Angriffscode, wie der Hersteller einräumte.


Advertising

The Cisco AnyConnect Secure Mobility Client enables remote employees to access the corporate network seamlessly from any device, anytime and anywhere. Cisco promises highly secure access that also protects the company.

Vulnerability CVE-2020-3556

Cisco published this security advisory on November 4, 2020, which my colleagues at Bleeping Computer became aware of. The vulnerability CVE-2020-3556 exists in the interprocess communication channel (IPC) of the Cisco AnyConnect Secure Mobility Client software. The weak point is due to a lack of authentication to the IPC listener.

An attacker could exploit this vulnerability by sending finished IPC messages to the IPC listener of the AnyConnect client. This could allow an authenticated, local attacker to induce an AnyConnect user to run a malicious script. This script would be executed with the privileges of the affected AnyConnect user.

In order to successfully exploit this vulnerability, the target user must have an ongoing AnyConnect session at the time of the attack. In order to exploit this vulnerability, the attacker would also need valid user credentials on the system on which the AnyConnect client is running.

These Cisco products are affected

According to the According to the Security Advisory,, various desktop Cisco AnyConnect Secure Mobility Clients are affected by this vulnerability. The manufacturer lists the following software modules:


Advertising

  • AnyConnect Secure Mobility Client for Linux
  • AnyConnect Secure Mobility Client for MacOS
  • AnyConnect Secure Mobility Client for Windows

This vulnerability does not affect the Cisco AnyConnect Secure Mobility Client for the Apple iOS and Android platforms. In addition, the affected clients must have a certain configuration in order to be able to exploit the vulnerability rated 7.8 out of 10.

Vulnerable configuration

A vulnerable configuration requires that both the Automatic Update setting and the Enable Scripting setting be enabled. The Auto Update setting is enabled by default, and the Enable Scripting setting is disabled by default.

To check these settings on the Adaptive Security Appliance (ASA), go to Configuration> Remote Access VPN> Network (Client) Access> AnyConnect Client Profile. For more details, see theAnyConnect Profile Editor chapter in the Cisco AnyConnect Secure Mobility Client Administrator Guide.

No workarounds, but mitigations

There are no workarounds to fix this vulnerability. Cisco suggests a countermeasure by disabling the automatic update feature. For more details, see Disabling AnyConnect Automatic Update in the Cisco AnyConnect Secure Mobility Client Administrator Guide.

If the Auto Update feature cannot be disabled, disabling the Enable Scripting configuration setting would reduce the attack surface. For more details, see the Cisco Cisco AnyConnect Profile Editor Preferences section in the Cisco AnyConnect Secure Mobility Client Administrator Guide.

Cisco will release free software updates that address the vulnerability described in this advisory. However, the manufacturer points out that customers should expect support only for software versions and feature sets for which they have purchased a license. However, the vulnerability in the Cisco AnyConnect Secure Mobility Client has not yet been exploited in the wild, according to the Cisco Product Security Incident Response Team (PSIRT).


Advertising

This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).