A proof-of-concept (PoC) exploit code has been released for a high-severity flaw in Cisco Secure Client Software for Windows (previously known as AnyConnect Secure Mobility Client). The vulnerability, tracked as CVE-2023-20178, enables attackers to escalate privileges to the SYSTEM account employed by the Windows operating system. The Cisco Secure Client allows employees to work remotely using a secure Virtual Private Network (VPN) while providing network administrators with telemetry and endpoint management features.
The vulnerability can be exploited by authenticated threat actors in low-complexity attacks that do not necessitate user interaction. Successful exploitation involves taking advantage of a "specific function of the Windows installer process," according to Cisco. The company released security updates last Tuesday to address this security bug, stating that its Product Security Incident Response Team (PSIRT) had not found evidence of malicious use or public exploit code targeting the bug in the wild. Cisco fixed CVE-2023-20178 with the release of AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.
Security researcher Filip Dragović, who discovered and reported the Arbitrary File Delete vulnerability to Cisco, published the PoC exploit code earlier this week. Dragović tested the PoC against Cisco Secure Client (version 5.0.01242) and Cisco AnyConnect (version 4.10.06079). The researcher explained, "When a user connects to vpn, vpndownloader.exe process is started in [the] background, and it will create [a] directory in c:windowstemp with default permissions in [the] following format: .tmp." Dragović further added, "After creating this directory vpndownloader.exe will check if that directory is empty, and if it's not, it will delete all files/directories in there. This behavior can be abused to perform arbitrary file delete as NT AuthoritySYSTEM account."
Attackers can exploit this Windows installer behavior and the fact that a client update process is executed after each successful VPN connection to spawn a SYSTEM shell through arbitrary file deletion. They can then use the technique described here to escalate privileges. In October, Cisco warned customers to patch two more AnyConnect security flaws (with public exploit code and fixed three years before) due to active exploitation in attacks. In May 2021, Cisco patched an AnyConnect zero-day with public exploit code, six months after its initial disclosure in November 2020.