Pierluigi Paganini
June 08, 2023
Cisco has fixed a high-severity vulnerability, tracked as CVE-2023-20178 (CVSS Score 7.8), found in Cisco Secure Client (formerly AnyConnect Secure Mobility Client) that can be exploited by low-privileged, authenticated, local attacker to escalate privileges to the SYSTEM account.
“A vulnerability in the client update feature of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM.” reads the advisory published by the company.
“An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.”
The vulnerability stems from improper permissions assigned to a temporary directory that is created during the upgrade process.
Cisco Secure Client is a software platform designed to provide secure remote access to corporate networks for employees or authorized users. The Cisco Secure Client offers a range of features and functionalities to ensure secure connectivity and protect data during remote access sessions. It supports robust authentication mechanisms, encryption protocols, and network access controls to protect sensitive information and prevent unauthorized access.
The company recommends customers to upgrade to an appropriate fixed software release as indicated in the table below.
| Cisco AnyConnect Secure Mobility Client for Windows Software | First Fixed Release |
|---|---|
| 4.10 and earlier | 4.10MR7 |
| Cisco Secure Client for Windows Software | First Fixed Release |
|---|---|
| 5.0 | 5.0MR2 |
The vulnerability was discovered by Filip Dragovic, according to the advisory there are no workarounds that address the issue.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of attacks exploiting this vulnerability in the wild.
The company pointed out that the flaw does not affect the following products:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Secure Client)
