Cisco has fastened a six-month-old zero-day vulnerability discovered within the Cisco AnyConnect Safe Mobility Consumer VPN software program, with publicly obtainable proof-of-concept exploit code.
The corporate’s AnyConnect Secure Mobility Client permits engaged on company gadgets linked to a safe Digital Non-public Community (VPN) by Safe Sockets Layer (SSL) and IPsec IKEv2 utilizing VPN shoppers obtainable for all main desktop and cellular platforms.
Cisco disclosed the zero-day bug tracked as CVE-2020-3556 in November 2020 with out releasing safety updates however offered mitigation measures to lower the assault floor.
Whereas the Cisco Product Safety Incident Response Group (PSIRT) stated that CVE-2020-355 proof-of-concept exploit code is offered, it additionally added that there isn’t a proof of attackers exploiting it within the wild.
The vulnerability is now addressed n Cisco AnyConnect Safe Mobility Consumer Software program releases 4.10.00093 and later.
These new variations additionally introduce new settings to assist individually permit/disallow scripts, assist, sources, or localization updates within the native coverage, settings which are strongly really useful for elevated safety.
Default configurations not weak to assaults
This excessive severity vulnerability was present in Cisco AnyConnect Consumer’s interprocess communication (IPC) channel, and it might permit authenticated and native attackers to execute malicious scripts through a focused consumer.
CVE-2020-3556 impacts all Home windows, Linux, and macOS shopper variations with weak configurations; nevertheless, cellular iOS and Android shoppers are usually not impacted.
“A weak configuration requires each the Auto Replace setting and Allow Scripting setting to be enabled,” Cisco explains within the safety advisory. “Auto Replace is enabled by default, and Allow Scripting is disabled by default.”
As additional disclosed by the corporate, profitable exploitation additionally requires energetic AnyConnect periods and legitimate credentials on the focused system.
Cisco added that the vulnerability:
- Shouldn’t be exploitable on laptops utilized by a single consumer, however as an alternative requires legitimate logins for a number of customers on the end-user system.
- Shouldn’t be remotely exploitable, because it requires native credentials on the end-user system for the attacker to take motion on the native system.
- Shouldn’t be a privilege elevation exploit. The scripts run on the consumer stage by default. If the native AnyConnect consumer manually raises the privilege of the Consumer Interface course of, the scripts would run at elevated privileges.
- Rated as excessive severity as a result of, for configurations the place the vulnerability is exploitable, it permits one consumer entry to a different consumer’s information and execution house.
Mitigation additionally obtainable
Clients who can’t instantly set up the safety updates launched yesterday can nonetheless mitigate the vulnerability by toggling off the Auto Update feature.
The assault floor will also be decreased by disabling the Enable Scripting configuration setting on gadgets the place it is enabled.
Cisco additionally offers detailed upgrade instructions for patrons who’ve already utilized the really useful workarounds or can’t improve to the patched releases.
Final week, the corporate additionally fastened critical SD-WAN vManage and HyperFlex HX software security flaws that would permit distant attackers to create rogue admin accounts or execute arbitrary instructions as root.