Cisco fixes privilege escalation bug in Cisco Secure Client

Cisco addressed a high-severity flaw in Cisco Secure Client that can allow attackers to escalate privileges to the SYSTEM account.

Cisco has fixed a high-severity vulnerability, tracked as CVE-2023-20178 (CVSS Score 7.8), found in Cisco Secure Client (formerly AnyConnect Secure Mobility Client) that can be exploited by low-privileged, authenticated, local attacker to escalate privileges to the SYSTEM account.

“A vulnerability in the client update feature of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM.” reads the advisory published by the company.

“An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.”

The vulnerability stems from improper permissions assigned to a temporary directory that is created during the upgrade process.

Cisco Secure Client is a software platform designed to provide secure remote access to corporate networks for employees or authorized users. The Cisco Secure Client offers a range of features and functionalities to ensure secure connectivity and protect data during remote access sessions. It supports robust authentication mechanisms, encryption protocols, and network access controls to protect sensitive information and prevent unauthorized access.

The company recommends customers to upgrade to an appropriate fixed software release as indicated in the table below.

Cisco AnyConnect Secure Mobility Client for Windows Software	First Fixed Release
4.10 and earlier	4.10MR7

Cisco Secure Client for Windows Software	First Fixed Release
5.0	5.0MR2

The vulnerability was discovered by Filip Dragovic, according to the advisory there are no workarounds that address the issue.

The Cisco Product Security Incident Response Team (PSIRT) is not aware of attacks exploiting this vulnerability in the wild.

The company pointed out that the flaw does not affect the following products:

Cisco AnyConnect Secure Mobility Client for Linux
Cisco AnyConnect Secure Mobility Client for MacOS
Cisco Secure Client-AnyConnect for Android
Cisco Secure Client AnyConnect VPN for iOS
Cisco Secure Client for Linux
Cisco Secure Client for MacOS

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Secure Client)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.