Cisco AnyConnect Secure Mobility Client allows users to connect to remote systems through a VPN. On October 26, 2022, Cisco issued a warning to its customers, stating that security vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows, which are two years old, are currently being exploited in the wild. CVE-2020-3433 (CVSS v3 score: 7.8) and CVE-2020-3153 (CVSS v3 score: 6.5) tracks the flaws. To exploit this vulnerability, attackers need to be in the same network.
The worst nightmare is that POCs are available, but the silver lining is attackers require proper credentials to exploit these vulnerabilities. Please apply the patch for these flaws as soon as possible since it was released in August 2020. A patch management software can apply patches swiftly.
Technical details about Cisco AnyConnect October 2022
CVE-2020-3433:
A flaw in the interprocess communication (IPC) channel of the Cisco AnyConnect Secure Mobility Client for Windows could allow a local, authenticated attacker to perform a DLL hijacking attack. However, to exploit this vulnerability, the attacker must obtain legitimate access credentials to the Windows system.
The application’s poor run-time resource validation has led to the vulnerability. An attacker might take advantage of this weakness by sending the AnyConnect process a specially designed IPC message. With a successful exploit, the attacker might be able to run arbitrary code with SYSTEM rights on the impacted machine.
Steps to Exploit:
- Send the aforementioned “CAC” command in a specially constructed IPC message: CAC-nc-install -ipc=1337 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe C:\path\to\dbghelp.dll.
- The file “vpndownloader.exe” is copied by “vpnagent.exe” from “C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe” to “C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader\vpndownloader.exe.”
- vpnagent.exe starts the cloned vpndownloader.exe as NT AUTHORITY\SYSTEM with the parameter given in the specially crafted IPC request.
- dbghelp.dll and vpndownloader.exe are copied by vpndownloader.exe to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Installer\.tmp.
- “NT AUTHORITY\SYSTEM” executes “vpndownloader.exe” from the “.tmp” folder, which triggers the activation of the malicious “dbghelp.dll” through DLL hijacking.
- The local system account executes the code within dbghelp.dll’s.
CVE-2020-3153:
The Cisco AnyConnect Secure Mobility Client for Windows installation component could allow an authenticated local attacker to copy user-supplied files to system-level folders with system-level access. The improper processing of directory paths is what causes the vulnerability. An attacker could use this flaw by making a malicious file and copying it to a system directory. An exploit could allow attackers to copy malicious files with system-level privileges to any location. This category could fall under pre-loading, DLL hijacking, and other related attacks. The attacker needs legitimate Windows system credentials to exploit this issue. To prevent such types of exploitations, a good patch management tool can come in handy.
The AnyConnect Agent receives a message instructing it to run vpndownloader.exe and carry out a certain activity as part of the auto-update mechanism; now the problem is any Cisco-signed executable will do; an installer file is not required.
Steps to Exploit:
- Send the aforementioned “CAC” command in a specially constructed IPC message: CAC-nc-install C:\anyconnect\nope\nope\nope\nope../../../../cstub.exe
- vpnagent.exe copies vpndownloader.exe from C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader\vpndC:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader\vpndownloader.exe
- vpnagent.exe starts the cloned vpndownloader.exe as NT AUTHORITY\SYSTEM with the parameter given in the specially crafted IPC request.
- vpndownloader.exe copies C:\anyconnect\cstub.exe to C:\ProgramData\Cisco\cstub.exe (path traversal with four levels above the original path, just next to the malicious dbghelp.dll).
- NT AUTHORITY\SYSTEM executes “cstub.exe,” which brings up the malicious “dbghelp.dll” through DLL hijacking.
- The local system account executes the code within dbghelp.dll.
Affected Product’s by Cisco AnyConnect October 2022
- Cisco AnyConnect Secure Mobility Client for Windows < 4.9.00086 (CVE-2020-3433)
- Cisco AnyConnect Secure Mobility Client for Windows < 4.8.02042 (CVE-2020-3153)
Impact
Moreover, successful Exploitation of these flaws will allow attackers to execute arbitrary commands with system privileges.
Solution
- Cisco AnyConnect Secure Mobility Client for Windows releases 4.9.00086 and later (CVE-2020-3433)
- Cisco AnyConnect Secure Mobility Client for Windows releases 4.8.02042 and later (CVE-2020-3153)
Other Critical Security Updates
- CVE-2022-35737 (CVSS score: 7.5) affects SQLite versions 1.0.12 through 3.39.1 and has been a problem for 22 years. However, the developers fixed the issue in version 3.39.2, releasing it on July 21, 2022.
- OpenSSL version 3.0.7, scheduled to release on November 1, 2022, in fact contains the patch for the critical vulnerability in the open-source cryptography and secure communication toolkit (OpenSSL).
- Google released a recent advisory for Chrome on October 25, 2022, which indeed contained the fix for High, medium, and Low severity vulnerabilities.
- Samba, a standard Windows interoperability suite of tools for Linux and Unix, has released security upgrades to fix two vulnerabilities in several versions.
- Zoom released 5.12.2 to fix URL parsing vulnerability in the Zoom Client for Meetings on October 24, 2022.
However, SanerNow VM and SanerNow PM detect and automatically fix these vulnerabilities by applying security updates. Finally, use SanerNow and keep your systems updated and secure.