Cisco has disclosed a zero-day vulnerability – for which there is not yet a patch – in the Windows, macOS and Linux versions of its AnyConnect Secure Mobility Client Software.
While Cisco said it is not aware of any exploits in the wild for the vulnerability, it said Proof-of-Concept (PoC) exploit code has been released, opening up risks of cybercriminals potentially leveraging the flaw. The flaw (CVE-2020-3556) is an arbitrary code execution vulnerability with a CVSS score of 7.3 out of 10, making it high severity.
“Cisco has not released software updates that address this vulnerability,” according to Cisco’s Wednesday advisory. “Cisco plans to fix this vulnerability in a future release of Cisco AnyConnect Secure Mobility Client Software.”
AnyConnect Secure Mobility Client, a modular endpoint software product, provides a wide range of security services (such as remote access, web security features, and roaming protection) for endpoints.
The flaw could allow an attacker to cause a targeted AnyConnect user to execute a malicious script – however, in order to launch an attack a cybercriminal would need to be authenticated and on the local network.
“In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack,” according to Cisco. “To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run.”
According to Cisco, the vulnerability exists in the interprocess communication (IPC) channel. IPC is a set of programming interfaces that allows a program to handle many user requests at the same time. Specifically in this case, the IPC listener has a lack of authentication.
“An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener,” according to Cisco. “A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.”
While there are no workarounds that address this vulnerability, one mitigation is to disable the Auto Update and Enable Scripting features. That’s because a vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled. Auto Update is enabled by default, and Enable Scripting is disabled by default, said Cisco.
Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt) was credited with reporting the vulnerability.
Cisco on Wednesday issued updates for 13 other high-severity CVEs across multiple products. That includes an arbitrary code execution flaw (CVE-2020-3588) in Cisco’s Webex Meetings Desktop collaboration app, as well as three arbitrary code execution glitches (CVE-2020-3573, CVE-2020-3603, CVE-2020-3604) in its Webex Network Recording Player and Webex Player.
Flaws tied to seven CVEs were also discovered in Cisco SD-WAN, including a file creation bug (CVE-2020-26071), privilege escalation flaw (CVE-2020-26074) and denial-of-service (DoS) flaw (CVE-2020-3574).
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.