Pierluigi Paganini June 22, 2023

The proof-of-concept (PoC) exploit code for high-severity vulnerability (CVE-2023-20178) in Cisco AnyConnect Secure was published online.

A security researcher has published a proof-of-concept (PoC) exploit code for the high-severity vulnerability, tracked as CVE-2023-20178 (CVSS score of 7.8), impacting Cisco AnyConnect Secure Mobility Client and Secure Client for Windows.

AnyConnect is a secure remote access VPN (Virtual Private Network) solution developed by Cisco Systems.AnyConnect is widely used by organizations to enable their employees or students to access internal resources and services from remote locations.

An attacker can trigger the vulnerability to elevate privileges to those of SYSTEM.

“A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established.” reads the advisory published by the company. “This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.”

The experts pointed out that during the software update process, a temporary folder is created to store copies of files that are being modified. The operation is performed to allow a rollback operation if the case of failure of the installation process.

A threat actor can use an exploit to start an update process that creates a temporary folder, then it can trigger a rollback process. At this point, the attacker code can store malicious files in the temporary folder to achieve their execution.

Cisco credited the researcher Filip Dragovic for reporting the CVE-2023-20178, the expert also released a PoC that triggers an arbitrary file delete with System privileges.

“When a user connect to vpn, vpndownloader.exe process is started in background and it will create directory in c:\windows\temp with default permissions in following format: <random numbers>.tmp After creating this directory vpndownloader.exe will check if that directory is empty and if its not it will delete all files/directories in there. This behaviour can be abused to perform arbitrary file delete as NT Authority\SYSTEM account.” reads the description for the PoC. “Arbitrary file delete is then used to spwan system cmd process by abusing windows installer behaviour which is described in ZDI article https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks (discovered by @KLINIX5)”

The PoC has successfully worked on Secure Client version 5.0.01242 and AnyConnect Secure Mobility Client version 4.10.06079.

The Cisco PSIRT confirmed that they are not aware of any attacks in the wild exploiting this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PoC exploit)