Pierluigi Paganini May 13, 2021

Cisco has addressed a zero-day in the Cisco AnyConnect Secure Mobility Client VPN software, with publicly available proof-of-concept exploit code.

Cisco has addressed a zero-day vulnerability in Cisco AnyConnect Secure Mobility Client, tracked as CVE-2020-3556, that was disclosed in November. The availability of a proof-of-concept exploit code for the zero-day was confirmed by the Cisco Product Security Incident Response Team (PSIRT) that also added that the company is not aware of threat actors exploiting it in the wild.

The CVE-2020-3556 flaw resided in the interprocess communication (IPC) channel of Cisco AnyConnect Client, it can be exploited by authenticated and local attackers to execute malicious scripts via a targeted user.

“A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.” reads the advisory published by the company in November.

“The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.”

It affects all AnyConnect client versions for Windows, Linux, and macOS with vulnerable configurations. The IT giant confirmed that iOS and Android clients are not impacted by this flaw.

“In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run.” continues the advisory.

“A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled, Auto Update is enabled by default, and Enable Scripting is disabled by default.”

The issue could be exploited in presence of active AnyConnect sessions and valid credentials on the targeted device.

The vulnerability was reported to Cisco by Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt).

Cisco disclosed the zero-day bug tracked as CVE-2020-3556 in November 2020 without releasing security updates but provided mitigation measures to decrease the attack surface.

Now the IT giant fixed the issue with the release of AnyConnect Secure Mobility Client Software 4.10.00093.

Cisco’s advisory reports that:

• This vulnerability is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device.
• This vulnerability is not remotely exploitable, as it requires local credentials on the end-user device for the attacker to take action on the local system.
• This vulnerability is not a privilege elevation exploit. The scripts run at the user level by default. If the local AnyConnect user manually raises the privilege of the User Interface process, the scripts would run at elevated privileges.
• This vulnerability’s CVSS score is high because, for configurations where the vulnerability is exploitable, it allows one user access to another user’s data and execution space.

In order to mitigate the flaw customers could disable the Auto Update feature or disabling the Enable Scripting configuration setting.

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco AnyConnect Secure Mobility Client VPN)

[adrotate banner=”5″]

[adrotate banner=”13″]