Pierluigi Paganini March 08, 2024

Cisco addressed two high-severity vulnerabilities in Secure Client that could lead to code execution and unauthorized remote access VPN sessions.

Cisco released security patches to address two high-severity vulnerabilities in Secure Client respectively tracked as CVE-2024-20337 and CVE-2024-20338.

Cisco Secure Client is a security tool developed by Cisco that provides VPN (Virtual Private Network) access and Zero Trust Network Access (ZTNA) support along with security and monitoring capabilities.

The vulnerability CVE-2024-20337 (CVSS score 8.2) resides in the SAML authentication process of Cisco Secure Client, an unauthenticated, remote attacker can exploit the flaw to conduct a carriage return line feed (CRLF) injection attack against a user.

The root cause of the flaw is the insufficient validation of user-supplied input. An attacker can trigger this vulnerability by persuading a user to click a crafted link while establishing a VPN session.

“A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token. The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.” reads the advisory.

This flaw affects the following Cisco products if they are running a vulnerable version of the product and the VPN headend is configured with the SAML External Browser feature:

• Secure Client for Linux
• Secure Client for macOS
• Secure Client for Windows

The vulnerability CVE-2024-20338 (CVSS 7.3) resides in the ISE Posture (System Scan) module of Cisco Secure Client for Linux. An authenticated, local attacker can exploit the flaw to elevate privileges on an affected device.

“This vulnerability is due to the use of an uncontrolled search path element. An attacker could exploit this vulnerability by copying a malicious library file to a specific directory in the filesystem and persuading an administrator to restart a specific process.” reads the advisory. “A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges.”

This flaw impacts Cisco devices that are running a vulnerable release of the Cisco Secure Client for Linux and have the ISE Posture module installed.

Both vulnerabilities were discovered by Paulos Yibelo Mesfin of Amazon Security.

The Cisco PSIRT is not aware of attacks in the wild exploiting the above vulnerabilities

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)