Zero-day in Cisco AnyConnect Secure Mobility Client yet to be fixed

Cisco disclosed a zero-day vulnerability in the Cisco AnyConnect Secure Mobility Client software and the availability of PoC exploit code.

Cisco has disclosed a zero-day vulnerability, tracked as CVE-2020-3556, in the Cisco AnyConnect Secure Mobility Client software with the public availability of a proof-of-concept exploit code.

The CVE-2020-3556 flaw resided in the interprocess communication (IPC) channel of Cisco AnyConnect Client, it can be exploited by authenticated and local attackers to execute malicious scripts via a targeted user.

“A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.” reads the advisory published by the company.

“The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.”

It affects all AnyConnect client versions for Windows, Linux, and macOS with vulnerable configurations. The IT giant confirmed that iOS and Android clients are not impacted by this flaw.

“In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run.” continues the advisory.

“A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled, Auto Update is enabled by default, and Enable Scripting is disabled by default.”

The issue could be exploited in presence of active AnyConnect sessions and valid credentials on the targeted device.

Unfortunately, Cisco has yet to address the arbitrary code execution flaw, a fix is expected to be included in a future AnyConnect client release.

Cisco recommends disabling the Auto Update feature to mitigate the CVE-2020-3556 flaw, no workarounds is available to address it.

Cisco Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild that have exploited the vulnerability.

The attack surface can also be drastically decreased by toggling off the Enable Scripting configuration setting on devices where it’s enabled.

The vulnerability was reported to Cisco by Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt).

Cisco also addressed 11 other high severity and 23 medium severity security vulnerabilities in multiple products that could be exploited to trigger a denial of service condition or to execute arbitrary code on vulnerable devices.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-3556)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.