Cisco VPN vulnerability test model revealed

A security researcher recently revealed a proof of concept (PoC) model targeting a recently fixed security vulnerability in the Cisco AnyConnect Secure Mobility Client and Secure Client for Windows VPN applications. This software allows remote working employees to connect to the organization's network through a secure Virtual Private Network (VPN), while also offering monitoring capabilities.

Vulnerability details

Identified as CVE-2023-20178 and with a CVSS severity score of 7.8, the security flaw affects the software update process. This allows a local attacker with limited privileges to increase his access and execute code with System privileges. "The vulnerability resides in the fact that improper permissions are assigned to a temporary directory created during the upgrade process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installation process," Cisco explained in its release.

How the attack works

In general, this is an arbitrary folder deletion issue that can be triggered during the software update process, when a temporary folder is created to store copies of the files being edited, to allow for recovery in the event of a crash. installation failure. An attacker with knowledge of this temporary folder could run an exploit that contains an executable file designed to start the update process but causes a mid-process restore. Meanwhile, the exploit continually tries to replace the contents of the temporary folder with malicious files.

The PoC and Cisco's response

After the update process is interrupted, Windows tries to restore the files to their original location from the temporary folder, but instead finds itself dealing with the attacker's malicious files. This week, security researcher Filip Dragovic, who reported CVE-2023-20178 to Cisco, released a PoC that works in a similar way, triggering an arbitrary deletion of files with System privileges. Dragovic says it has tested the PoC on Secure Client versions 5.0.01242 and AnyConnect Secure Mobility Client 4.10.06079, emphasizing that only the Windows versions of the software are vulnerable. Cisco responded to issue CVE-2023-20178 in early June with the release of updated versions of the AnyConnect Secure Mobility Client (4.10.07061) and Secure Client (5.0.02075).