Cisco has addressed a zero-day vulnerability in Cisco AnyConnect Secure Mobility Client, tracked as CVE-2020-3556, that was disclosed in November. The availability of a proof-of-concept exploit code for the zero-day was confirmed by the Cisco Product Security Incident Response Team (PSIRT) that also added that the company is not aware of threat actors exploiting it in the wild.
The CVE-2020-3556 flaw resided in the interprocess communication (IPC) channel of Cisco AnyConnect Client, it can be exploited by authenticated and local attackers to execute malicious scripts via a targeted user.
“A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.” reads the advisory published by the company in November.
“The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.”
It affects all AnyConnect client versions for Windows, Linux, and macOS with vulnerable configurations. The IT giant confirmed that iOS and Android clients are not impacted by this flaw.
“In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run.” continues the advisory.
“A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled, Auto Update is enabled by default, and Enable Scripting is disabled by default.”
The issue could be exploited in presence of active AnyConnect sessions and valid credentials on the targeted device.
The vulnerability was reported to Cisco by Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt).
Cisco disclosed the zero-day bug tracked as CVE-2020-3556 in November 2020 without releasing security updates but provided mitigation measures to decrease the attack surface.
Now the IT giant fixed the issue with the release of AnyConnect Secure Mobility Client Software 4.10.00093.
Cisco’s advisory reports that:
In order to mitigate the flaw customers could disable the Auto Update feature or disabling the Enable Scripting configuration setting.
Please vote Security Affairs as Best Personal cybersecurity Blog
(SecurityAffairs – hacking, Cisco AnyConnect Secure Mobility Client VPN)