Cisco AnyConnect Windows client under active attack

Cisco says miscreants are exploiting two vulnerabilities in its AnyConnect Secure Mobility Client for Windows, which is supposed to ensure safe VPN access for remote workers.

One of the pair of flaws, tracked as CVE-2020-3433, is a privilege-escalation issue: an authenticated, local user can exploit AnyConnect to execute code with SYSTEM-level privileges. A rogue insider or malware on a PC can use this to gain total control over the system. It affects Cisco AnyConnect Secure Mobility Client for Windows releases earlier than Release 4.9.00086.

The high-severity vulnerability received a 7.8 of 10 CVSS severity score, and the good news is that the networking giant released a software patch to fix the flaw a couple of years ago. Cisco first alerted customers about this bug in August 2020, and previously warned that proof-of-concept exploit code was publicly available. Now the vendor issued a fresh warning: 

“In October 2022, the Cisco Product Security Incident Response Team became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.”

Presumably miscreants, once they’ve infiltrated a network, are abusing this software to gain full control over the PCs of AnyConnect users.

The second Cisco vulnerability, tracked as CVE-2020-3153, is in the installer component of the AnyConnect Secure Mobility Client for Windows, and it also requires a logged-in user or malware on a system to exploit. It’s considered a medium-severity bug, with a 6.5 CVSS score, but considering both Ciso and CISA are aware of in-the-wild exploits, we’d suggest giving it high-priority patching.

This one is due to the incorrect handling of directory paths, and an authenticated user could exploit the bug to have their own code copied to a system directory and run with high privileges, allowing them to commandeer the PC, we’re told.

Software releases 4.8.02042 and earlier are vulnerable, and all of the more recent versions of the product contained the fix.

A day before the vendor released its own security update, the US Cybersecurity and Infrastructure Agency (CISA) added both of the Cisco AnyConnect Secure Mobility Client for Windows bugs to its Known Exploited Vulnerabilities Catalog.

In total, Cisco pushed 18 security updates so far this month, with six ranked as “high” severity and the rest “medium.” ®

PS: VMware Cloud Foundation contains a critical remote code execution vulnerability (CVE-2021-39144) via the XStream open source library it imports. Updates are said to be available to close this hole.

Leave a Reply

Your email address will not be published.