Security Experts:

Cisco Working on Patch for Code Execution Vulnerability in VPN Product

Cisco informed customers on Wednesday that it’s working on a patch for a code execution vulnerability affecting its AnyConnect product. The company says a proof-of-concept (PoC) exploit is available.

The Cisco AnyConnect Secure Mobility Client is designed to provide secure VPN access for remote workers.

According to the networking giant, the product is affected by a flaw, tracked as CVE-2020-3556, that can be exploited by a local, authenticated attacker to cause an AnyConnect user to execute a malicious script.

The vulnerability is related to the lack of authentication for the interprocess communication (IPC) listener. The Linux, Windows and macOS versions of the AnyConnect Secure Mobility Client are affected if both the Auto Update and Enable Scripting settings are enabled. The latter is disabled by default.

“An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user,” Cisco said in its advisory.

“In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run,” it added.

There are no workarounds for the vulnerability, but concerned users can disable the Auto Update or Enable Scripting settings to prevent exploitation. The company has decided to disclose it as it has become aware of the availability of a PoC exploit, but says it’s not aware of any attacks exploiting the flaw.

Gerbert Roitburd from the Secure Mobile Networking Lab at the TU Darmstadt university has been credited for reporting the flaw. It’s unclear if the PoC exploit was created by Roitburd or someone else.

Cisco also informed customers on Wednesday that it has patched over a dozen high-severity vulnerabilities across its Webex, SD-WAN, IP Phone and IOS XR products.

The IOS XR flaw can allow a remote, unauthenticated attacker to execute unsigned code during the Preboot eXecution Environment (PXE) boot process on an impacted device. However, the attacker needs to compromise or impersonate a PXE boot server in order to exploit the weakness.

A directory traversal vulnerability affecting the SD-WAN vManage software can also be exploited remotely and without authentication, to access sensitive information.

Cisco has warned Webex customers that an attacker can execute arbitrary code on their systems by tricking them into opening malicious ARF or WRF files with Webex Network Recording Player for Windows or Cisco Webex Player for Windows.

The remaining high-severity flaws patched this week by Cisco require authentication and/or local access for exploitation. They can be leveraged for DoS attacks, privilege escalation, arbitrary file creation (which also leads to DoS), and arbitrary code execution.

Related: Cisco Patches 34 High-Severity Vulnerabilities in IOS Software

Related: Cisco Patches Critical Vulnerability in Jabber for Windows

Related: Cisco Patches 17 High-Severity Vulnerabilities in Security Appliances

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.