A proof-of-concept (POC) exploit for a recently patched security vulnerability in Cisco’s client software has been released by a security researcher. This vulnerability, labeled CVE-2023-20178, is a high-severity bug that affects the Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. It allows authenticated attackers to escalate privileges to SYSTEM level without any user interaction.
Cisco issued a patch advisory earlier this month, explaining the vulnerability and its potential impact. The advisory stated that “a vulnerability in the client update process could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM.” The client update process occurs after a successful VPN connection is established.
The security researcher, Filip Dragović, discovered the flaw and reported it to Cisco. He recently released an exploit on GitHub that takes advantage of the vulnerability. The exploit leverages a process called “vpndownloader.exe,” which runs in the background when a user connects to a VPN using the Cisco Secure or AnyConnect software.
Dragović provided insight into how the exploit works, stating, “It will create a directory in c:\windows\temp with default permissions. After creating this directory, vpndownloader.exe will check if that directory is empty, and if it’s not, it will delete all files/directories in there. This behavior can be abused to perform arbitrary file delete as NT Authority\SYSTEM account.”
Once the arbitrary file deletion is executed, cyber attackers can employ a known tactic to create a SYSTEM shell, which allows them to abuse Windows Installer behavior and elevate their privileges. This could lead to a complete takeover of the affected system.
Organizations are strongly advised to apply the patch immediately. While no known exploitations have been reported at the time of the patch release, it is expected that cyber attackers will quickly seize the opportunity now that a proof-of-concept exploit is available. The researcher states that the exploitation process is relatively straightforward, and the Cisco client software has a history of being targeted by cyber attackers who aim to compromise data-rich VPN sessions.
It is crucial for organizations to prioritize the security of their remote workforce by keeping their clients up to date with the latest patches and security measures. This includes promptly applying patches and conducting regular security audits to identify and mitigate any vulnerabilities.
By staying vigilant and proactively addressing security risks, organizations can ensure the safe and secure operation of their remote workforce. Taking these measures can help protect sensitive data and prevent potential unauthorized access by attackers seeking to exploit vulnerabilities in VPN software.