Cisco Addresses High-Severity Bug in Secure Client Software
June 7, 2023
Cisco has recently fixed a high-severity vulnerability found in its Cisco Secure Client (previously known as AnyConnect Secure Mobility Client) software. This issue could have allowed attackers to escalate their privileges to the SYSTEM account used by the operating system. Cisco Secure Client is a tool that enables employees to work remotely through a secure Virtual Private Network (VPN) while providing administrators with endpoint management and telemetry features.
The security flaw, identified as CVE-2023-20178, could be exploited by low-privileged, local attackers in low-complexity attacks that do not necessitate user interaction. According to Cisco, "This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the upgrade process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process." The vulnerability was addressed in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.
Cisco has confirmed that CVE-2023-20178 does not impact its macOS, Linux, and mobile products. Furthermore, the company's Product Security Incident Response Team (PSIRT) has not discovered any evidence of malicious use in the wild or public exploit code targeting the bug.
In October, Cisco urged customers to patch two other AnyConnect security flaws—CVE-2020-3433 and CVE-2020-3153—which had public exploit code and were addressed three years ago. These vulnerabilities allowed threat actors to execute arbitrary code on targeted Windows devices with SYSTEM privileges when combined with other privilege escalation flaws. The Cybersecurity and Infrastructure Security Agency (CISA) also added these vulnerabilities to its list of known exploited bugs, stating that "these types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise."
Two years ago, Cisco patched an AnyConnect zero-day vulnerability, CVE-2020-3556, which had public exploit code. This update was released in May 2021, six months after the company provided mitigation measures to reduce the attack surface when the vulnerability was disclosed in November 2020.
Latest News
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.