Cisco has disclosed a zero-day vulnerability, tracked as CVE-2020-3556, in the Cisco AnyConnect Secure Mobility Client software with the public availability of a proof-of-concept exploit code.
The CVE-2020-3556 flaw resided in the interprocess communication (IPC) channel of Cisco AnyConnect Client, it can be exploited by authenticated and local attackers to execute malicious scripts via a targeted user.
“A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.” reads the advisory published by the company.
“The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.”
It affects all AnyConnect client versions for Windows, Linux, and macOS with vulnerable configurations. The IT giant confirmed that iOS and Android clients are not impacted by this flaw.
“In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run.” continues the advisory.
“A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled, Auto Update is enabled by default, and Enable Scripting is disabled by default.”
The issue could be exploited in presence of active AnyConnect sessions and valid credentials on the targeted device.
Unfortunately, Cisco has yet to address the arbitrary code execution flaw, a fix is expected to be included in a future AnyConnect client release.
Cisco recommends disabling the Auto Update feature to mitigate the CVE-2020-3556 flaw, no workarounds is available to address it.
Cisco Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild that have exploited the vulnerability.
The attack surface can also be drastically decreased by toggling off the Enable Scripting configuration setting on devices where it’s enabled.
The vulnerability was reported to Cisco by Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt).
Cisco also addressed 11 other high severity and 23 medium severity security vulnerabilities in multiple products that could be exploited to trigger a denial of service condition or to execute arbitrary code on vulnerable devices.
(SecurityAffairs – hacking, CVE-2020-3556)