A recently released exploit for a patched vulnerability in the Cisco AnyConnect Secure Mobility Client and Cisco Secure Client applications for Windows has raised concerns among security experts. This exploit allows attackers to elevate their privileges on a victim’s system and gain full control over it.
The Cisco Secure Client for Windows, formerly known as Cisco AnyConnect Secure Mobility Client, is widely used in enterprises as it integrates with various Cisco endpoint security and management platforms. However, this popularity has also made it a target for attackers.
In October 2022, Cisco updated its advisories for two privilege escalation vulnerabilities, originally patched in the AnyConnect Client in 2020, to warn customers of ongoing exploitation in the wild. These vulnerabilities, known as CVE-2020-3433 and CVE-2020-3153, were added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog, requiring government agencies to patch them by a specific deadline.
Although local privilege escalation vulnerabilities are not rated with critical severity, they still pose a serious threat. These vulnerabilities require attackers to have some level of access to execute code on the operating system. For instance, employees using the Cisco AnyConnect client on their company-issued computers typically do not have administrator privileges. If an attacker manages to trick a user into executing a malicious program, the code will run with limited privileges. While basic data theft may be possible, more sophisticated attacks that involve accessing other systems would require elevated privileges.
The recently patched vulnerability, tracked as CVE-2023-20178, is caused by the update mechanism of Cisco AnyConnect Secure Mobility Client and Cisco Secure Client for Windows. When a user establishes a VPN connection, the client software executes a file called vpndownloader.exe. This process creates a directory in the c:\windows\temp folder and checks for any files inside. If any files are found, the software will delete them using the highest privileged account on Windows systems, NT Authority\SYSTEM. Attackers can exploit this by creating symlinks to other files, resulting in an arbitrary file delete issue.
The technique of using arbitrary file deletes to escalate privileges has been previously discussed by researchers from Trend Micro’s Zero Day Initiative. They described how this technique can be abused by taking advantage of a little-known feature of the Windows Installer service. The feature was credited to a researcher named Abdelhamid Naceri, who discovered a similar vulnerability in the Windows User Profile Service.
A public exploit for CVE-2023-20178 has now been released, prompting Cisco to update its advisory and urge customers to upgrade their Cisco AnyConnect Secure Mobility Client for Windows to version 4.10MR7 (4.10.07061) or later, and the Cisco Secure Client for Windows to version 5.0MR2 (5.0.02075) or later.
In conclusion, the release of an easy-to-use exploit for a patched vulnerability in the Cisco AnyConnect Secure Mobility Client and Cisco Secure Client applications has raised concerns among security experts. The exploit allows attackers to gain elevated privileges on a victim’s system, potentially leading to a complete takeover. Cisco has urged customers to upgrade their software to the latest versions to mitigate the risk of exploitation.