Cisco Zero-Day in AnyConnect Secure Mobility Client Remains Unpatched

  • Cisco also disclosed substantial-severity vulnerabilities in its Webex and SD-WAN items.

    Cisco has disclosed a zero-working day vulnerability – for which there is not however a patch – in the Windows, macOS and Linux versions of its AnyConnect Protected Mobility Client Application.

    While Cisco mentioned it is not aware of any exploits in the wild for the vulnerability, it reported Proof-of-Concept (PoC) exploit code has been produced, opening up risks of cybercriminals potentially leveraging the flaw. The flaw (CVE-2020-3556) is an arbitrary code execution vulnerability with a CVSS score of 7.3 out of 10, producing it significant severity.

    “Cisco has not introduced program updates that deal with this vulnerability,” in accordance to Cisco’s Wednesday advisory. “Cisco plans to repair this vulnerability in a upcoming launch of Cisco AnyConnect Safe Mobility Consumer Program.”

    AnyConnect Protected Mobility Client, a modular endpoint software solution, delivers a extensive variety of security services (these kinds of as distant accessibility, web security features, and roaming protection) for endpoints.

    The flaw could make it possible for an attacker to bring about a targeted AnyConnect person to execute a destructive script – having said that, in purchase to start an attack a cybercriminal would have to have to be authenticated and on the area network.

    “In purchase to efficiently exploit this vulnerability, there have to be an ongoing AnyConnect session by the qualified person at the time of the attack,” according to Cisco. “To exploit this vulnerability, the attacker would also have to have legitimate person credentials on the program on which the AnyConnect customer is getting run.”

    According to Cisco, the vulnerability exists in the interprocess conversation (IPC) channel. IPC is a set of programming interfaces that allows a plan to tackle numerous user requests at the very same time. Especially in this case, the IPC listener has a absence of authentication.

    “An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect shopper IPC listener,” according to Cisco. “A prosperous exploit could let an attacker to result in the focused AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.”

    Whilst there are no workarounds that handle this vulnerability, just one mitigation is to disable the Vehicle Update and Help Scripting functions. Which is for the reason that a vulnerable configuration needs both equally the Vehicle Update placing and Permit Scripting placing to be enabled. Car Update is enabled by default, and Permit Scripting is disabled by default, stated Cisco.

    Gerbert Roitburd from Protected Cell Networking Lab (TU Darmstadt) was credited with reporting the vulnerability.

    Cisco on Wednesday issued updates for 13 other significant-severity CVEs throughout various products and solutions. That consists of an arbitrary code execution flaw (CVE-2020-3588) in Cisco’s Webex Conferences Desktop collaboration application, as effectively as a few arbitrary code execution glitches (CVE-2020-3573, CVE-2020-3603, CVE-2020-3604) in its Webex Network Recording Participant and Webex Participant.

    Flaws tied to seven CVEs ended up also learned in Cisco SD-WAN, like a file creation bug (CVE-2020-26071), privilege escalation flaw (CVE-2020-26074) and denial-of-assistance (DoS) flaw (CVE-2020-3574).

    Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware assaults in 2020. Save your spot for this Free webinar on health care cybersecurity priorities and listen to from major security voices on how info security, ransomware and patching have to have to be a priority for just about every sector, and why. Be part of us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, constrained-engagement webinar.