Cisco zero-day in anyconnect

Written By Jairo Osorio

AnyConnect Secure Mobility Client, a modular endpoint software product, provides a wide range of security services (such as remote access, web security features, and roaming protection) for endpoints.

The flaw could allow an attacker to cause a targeted AnyConnect user to execute a malicious script – however, in order to launch an attack a cybercriminal would need to be authenticated and on the local network.

“In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack,” according to Cisco. “To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run.”

According to Cisco, the vulnerability exists in the interprocess communication (IPC) channel. IPC is a set of programming interfaces that allows a program to handle many user requests at the same time. Specifically in this case, the IPC listener has a lack of authentication.

“An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener,” according to Cisco. “A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.”

While there are no workarounds that address this vulnerability, one mitigation is to disable the Auto Update and Enable Scripting features. That’s because a vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled. Auto Update is enabled by default, and Enable Scripting is disabled by default, said Cisco.

Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt) was credited with reporting the vulnerability.

Cisco on Wednesday issued updates for 13 other high-severity CVEs across multiple products. That includes an arbitrary code execution flaw (CVE-2020-3588) in Cisco’s Webex Meetings Desktop collaboration app, as well as three arbitrary code execution glitches (CVE-2020-3573, CVE-2020-3603, CVE-2020-3604) in its Webex Network Recording Player and Webex Player.

Flaws tied to seven CVEs were also discovered in Cisco SD-WAN, including a file creation bug (CVE-2020-26071), privilege escalation flaw (CVE-2020-26074) and denial-of-service (DoS) flaw (CVE-2020-3574).

Jairo Osorio
Previous

PAN-OS Vulnerability in globalprotect SSL VPN