Cisco Addresses High-Severity Vulnerabilities in its VPN Product

March 7, 2024

Cisco, the multinational technology conglomerate, has issued patches for two high-severity vulnerabilities found within its Secure Client application, a VPN solution that also offers security and monitoring features.

The first vulnerability, identified as CVE-2024-20337, affects the Linux, macOS, and Windows versions of Secure Client. It can be remotely exploited without any form of authentication in carriage return line feed (CRLF) injection attacks. This is due to the application's insufficient validation of user-supplied input. As a result, an attacker can execute arbitrary scripts in the victim’s browser or access sensitive data, such as SAML tokens, by tricking the user into clicking a malicious link during a VPN session.

Cisco stated, “The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.” This vulnerability only affects Secure Client instances where the VPN headend is configured with the SAML External Browser feature. Cisco has addressed this issue with the release of Secure Client versions 4.10.08025 and 5.1.2.42. Versions prior to 4.10.04065 are not vulnerable and no patches are available for version 5.0.

The second high-severity vulnerability, labeled as CVE-2024-20338, only impacts the Linux version of Secure Client and requires authentication for successful exploitation. Cisco has resolved this bug in version 5.1.2.42 of the VPN application.

Cisco clarified, “An attacker could exploit this vulnerability by copying a malicious library file to a specific directory in the filesystem and persuading an administrator to restart a specific process. A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges.”

On the same day, Cisco also released patches for several medium-severity vulnerabilities in AppDynamics Controller and Duo Authentication for Windows Logon and RDP, which could result in data leaks and bypass of secondary authentication. However, two medium-severity flaws in Small Business 100, 300, and 500 APs will remain unpatched, as these products have reached their end-of-life (EoL) status.

Cisco has confirmed that it is not aware of any instances where these vulnerabilities have been exploited in real-world scenarios. More details can be found on Cisco’s security advisories page.

Latest News

• CISA Lists Apple iOS and iPadOS Memory Corruption Bugs in its Known Exploited Vulnerabilities Catalog
• Massive Exploitation of TeamCity Auth Bypass Vulnerability Leads to Creation of Admin Accounts
• Crypto Mining Malware Campaign Targets Misconfigured Servers
• VMware Addresses Critical Sandbox Escape Vulnerabilities in Multiple Products
• CISA Highlights Exploitation of Pixel Phone and Sunhillo SureLine Vulnerabilities