Last week, Cisco disclosed a zero-day vulnerability (CVE-2020-3556) that has proof-of-concept exploit code publicly available. It affects their AnyConnect Secure Mobility Client software, an endpoint tool that connects users to enterprise networks via virtual private network (VPN). The vulnerability was reported by Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt).
How It Works
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client allows for an authenticated and local attacker to execute malicious scripts via a targeted user.
Due to lack of authentication to the IPC listener, an attacker could exploit this vulnerability by sending IPC messages to the AnyConnect client IPC listener – resulting in script execution with the privileges of a targeted AnyConnect user, according to Cisco.
For successful exploitation, an attacker would need valid user credentials of the system running the AnyConnect client. They would also need to log into the system during an active AnyConnect session, and gain access to privileges to execute code on that system.
Who is Affected
CVE-2020-3556 affects the AnyConnect Secure Mobility Client for Linux, MacOS, and Windows if they have Bypass Downloader set to its default value of false.
You can verify your Bypass Downloader configuration by opening AnyConnectLocalPolicy.xml file and searching for <BypassDownloader>false</BypassDownloader>
If your Bypass Downloader is set to true, the device is not affected by this vulnerability, according to Cisco.
This vulnerability doesn’t affect the AnyConnect client for Apple iOS or Android.
Mitigation for CVE-2020-3556
There are currently no software updates available to address the AnyConnect zero-day, CVE-2020-3556. Cisco plans to fix this vulnerability in a future release of Cisco AnyConnect Secure Mobility Client software.
Additional Resources
Cisco’s Security Advisory for CVE-2020-3556
AnyConnect Integration
Blumira’s cloud SIEM integrates easily with Cisco AnyConnect to start detecting threats immediately and automating response. Learn more about Blumira’s Cisco AnyConnect integration (logs delivered through ASA firewall & FTD Firepower Threat Defense).
Get a free 14-day trial and deploy in hours to realize value right away:
Thu Pham
Thu has over 15 years of experience in the information security and technology industries. Prior to joining Blumira, she held both content and product marketing roles at Duo Security, leading go-to-market (GTM) and messaging for the portfolio solution Cisco Zero Trust. She holds a bachelor of science degree in...
More from the blog
View All PostsNew Unauthenticated Remote Code Execution Flaw Identified in OpenSSH Server
Read MoreCVE-2024-3400: Palo Alto Vulnerabilities in GlobalProtect Gateway Lead to RCE
Read MoreCVE-2024-3094: xz-utils (liblzma) Backdoor
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.