Cisco released a patch for a high-severity flaw that was plaguing its Cisco Secure Client. The flaw, tracked as CVE-2023-20178, allowed threat actors elevate account privileges and tamper with the system on the admin level. No interaction on the victim’s side was necessary.
“This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the upgrade process,” Cisco said in its security advisory published with the patch. “An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process.”
Cisco Secure Client is a VPN/ZNTA solution that enables remote working opportunities for employees, and endpoint management and telemetry features for administrators.
Not abused (yet)
To remove the threat, users are advised to bring AnyConnect Secure Mobility Client for Windows to version 4.10MR7 and Cisco Secure Client for Windows to version 5.0MR2.
Not all versions of the product are vulnerable, though. For macOS and Linux, the Cisco Secure Client and AnyConnect Secure Mobility Client are both fine, as too is the Secure Client-AnyConnect for Android and the Secure Client AnyConnect VPN for iOS.
Elsewhere in the security advisory, Cisco also said that there is no evidence of the flaw being used in the wild. There are also no malware variants out there looking to leverage the flaw, the company claims.
The last time we heard of Cisco AnyConnect was in October last year, when the company urged its customers to apply a fix for a newly discovered flaw that had been sitting unnoticed for several years and was only discovered after being abused by criminals.
At the time, Cisco said it unearthed two flaws – CVE-2020-3433 and CVE-2020-3153, found in the Cisco AnyConnect Secure Mobility Client for Windows which would have allowed local threat actors to run DLL hijacking attacks and use system-level privileges to copy files to system directories. The result is arbitrary code execution on endpoints with system privileges.