Cisco has addressed a high-severity vulnerability found in Cisco Secure Client (formerly AnyConnect Secure Mobility Client) software that may allow attackers to elevate privileges to the SYSTEM account used by the operating system.
Cisco Secure Client enables employees to work from anywhere via a secure virtual private network (VPN) and provides administrators with device management and telemetry capabilities.
Local, low-privilege attackers can exploit this security flaw (tracked as CVE-2023-20178) in low-complexity attacks that do not require user interaction.
“This vulnerability exists because incorrect permissions are assigned to a temporary directory created during the upgrade process,” Cisco explains.
“An attacker could exploit this vulnerability by abusing a specific function of the Windows installation process.”
The bug has been fixed in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.
According to Cisco, CVE-2023-20178 does not affect the following macOS, Linux, and mobile products:
- Cisco AnyConnect Secure Mobility Client for Linux
- Cisco AnyConnect Secure Mobility Client for MacOS
- Cisco Secure Client – AnyConnect for Android
- Cisco Secure Client AnyConnect VPN for iOS
- Cisco Secure Client for Linux
- Cisco Secure Client for MacOS
No signs of active mining
The company’s Product Security Incident Response Team (PSIRT) has yet to find any evidence of in-the-wild malicious use or public exploit code targeting the bug.
In October, Cisco notified customers to fix two other AnyConnect security flaws – with public exploit code and resolved three years ago – due to exploitation in the wild.
The bugs (CVE-2020-3433 and CVE-2020-3153) allow hackers to execute arbitrary code on targeted Windows devices with SYSTEM privileges when chained with other privilege escalation flaws.
Like CISA too said adding them to its list of known exploited bugs, “these types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise.”
Two years ago, Cisco patched a zero-day AnyConnect (CVE-2020-3556) with exploit code released in May 2021 with a six-month delay after providing mitigations to reduce the attack surface when disclosed in November 2020.