A high-severity vulnerability in Cisco Secure Client Software for Windows and Cisco AnyConnect Secure Mobility Client Software for Windows has become a cause for concern as proof-of-concept (PoC) exploit code for the vulnerability has been published. This vulnerability, identified as CVE-2023-20178, was initially brought to attention in a security advisory by Cisco in the beginning of June.
Cisco Secure Client Software, formerly known as Cisco AnyConnect Secure Mobility Client, is a unified endpoint security software that enables businesses to expand their network access capabilities and allows remote employees to connect through both wired and wireless connections, including VPN.
The vulnerability arises from improper permissions assigned to a temporary directory created during the client update process. Exploiting this vulnerability involves abusing a specific function of the Windows installer process. If successfully exploited, an attacker could execute code with SYSTEM privileges, giving them significant control over the system.
The discovery of this vulnerability is credited to security researcher Filip Dragović, who has worked diligently to bring attention to its severity. Unfortunately, there are no workarounds for this issue, and users are strongly advised to update their software as soon as possible. The recommended updates are either AnyConnect Secure Mobility Client for Windows 4.10MR7 or Cisco Secure Client Software for Windows 5.0MR2.
It is important to note that this particular vulnerability does not affect Cisco AnyConnect Secure Mobility Client and Cisco Secure Client for Linux and macOS, as well as Cisco Secure Client-AnyConnect for Android and iOS. However, users of the Windows software versions should remain vigilant and take immediate action to patch their systems.
Recently, Dragović published a proof-of-concept (PoC) exploit for this vulnerability. This PoC was specifically tested on Cisco Secure Client 5.0.01242 and Cisco AnyConnect 4.10.06079. In his explanation of the exploit, Dragović revealed that when a user connects to a VPN, a process called “vpndownloader.exe” is initiated in the background. This process creates a directory in the “c:\windows\temp” location with default permissions. By manipulating this directory, an attacker can perform arbitrary file deletes under the “NT Authority\SYSTEM account.” This allows them to escalate their privileges and gain further control over the system.
While the vulnerability itself is quite serious, it is worth noting that exploiting it requires a certain level of access to the target system. Attackers must first find a way to gain access through other means before they can fully exploit this vulnerability and elevate their privileges.
The release of the PoC exploit raises concerns about the potential for malicious actors to take advantage of this vulnerability. Cybersecurity experts are urging Cisco Secure Client Software and Cisco AnyConnect Secure Mobility Client Software users to update their systems immediately to protect themselves from potential attacks.
Taking a proactive approach to cybersecurity is crucial in today’s digital landscape. Promptly updating software and staying informed about potential vulnerabilities can help individuals and businesses stay one step ahead of cyber threats. Additionally, working closely with security researchers like Dragović can aid in the discovery and resolution of vulnerabilities, strengthening the overall security of software systems.