2023-06-23 00:04:20
AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows include a high severity vulnerability and proof-of-concept attack code to exploit the issue has been released. Users who have not yet applied the patch are strongly advised to do so as soon as possible to avoid being exploited. In the past, malicious actors have attempted to exploit vulnerabilities in Cisco Secure Client Software that have not been patched.
IT administrators use Cisco Secure Client Software as an endpoint management tool. This software is a remote access solution that allows workers to connect to the network from anywhere through a Virtual Private Network. IT administrators use Cisco Secure Client Software. The vulnerability, which has been assigned the tracking number CVE-2023-20178, has a base score of 7.8 on the CVSS scale.
Filip Dragovi, a security researcher, discovered the arbitrary file deletion vulnerability and reported it to Cisco. Dragovi also released proof-of-concept (PoC) attack code that can be used to exploit the issue.
According to Dragovi’s explanation, this proof of concept was tested with Cisco Secure Client (tested on version 5.0.01242) and Cisco AnyConnect (tested on version 4.10.06079).
The researcher explains that “when a user connects to vpn, the vpndownloader.exe process starts in the background” and that “it will create [un] directory in c:windowstemp with default permissions on [el] following format: random numbers > .tmp.”
“After setting this directory, vpndownloader.exe will check if that directory is empty. if not, vpndownloader.exe will remove all files and folders inside that directory. This behavior has the potential to be exploited to delete arbitrary files when logged in as the SYSTEM NT Authority account.
Using the method described in this article, the attacker can escalate their privileges by spawning a SYSTEM shell through the removal of arbitrary files by taking advantage of the behavior of the Windows installer and the fact that a client update procedure is performed afterward. of each successful VPN. Connection. This allows the attacker to gain full control over the system.
This vulnerability can be exploited by an authorized local attacker to escalate their privileges to the SYSTEM level. The issue affects the client update process. The vulnerability is due to incorrect permissions on a temporary directory that is generated while the update process is running. The vulnerability can be exploited by misusing a particular component of the Windows installation process. An attack that exploits the vulnerability is not complicated and does not require any effort from the user.
There is no other way to avoid vulnerability; installing the patch is the only method to cure it and prevent it from being exploited. On June 13, 2023, a patch was made available to fix the vulnerability, and at the time of its release, there were no known cases where someone had exploited the vulnerability. AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2 have fixes for the discovered vulnerability.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.
Send news tips to [email protected] or www.instagram.com/iicsorg/
You can also find us on Telegram www.t.me/noticiasciberseguridad
#Hack #Cisco #Secure #Client #AnyConnect #Secure #Mobility #Software #administrator