Cisco AnyConnect Secure Mobility Client Software and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability (CVE-2023-20178)

Cisco has released patches to address a high-severity vulnerability, CVE-2023-20178, that affects the Cisco AnyConnect Secure Mobility Client Software and Cisco Secure Client Software. Filip Dragovic reported the vulnerability. On successful exploitation, the vulnerability may allow attackers to escalate privileges to those of the SYSTEM. No evidence is available to show the public exploitation of the vulnerability.

Cisco AnyConnect Secure Mobility Client Software is a unified security endpoint software product. The software enables an enterprise to extend its access to support remote customers with the help of wired and wireless connectivity along with a Virtual Private Network (VPN) connection.

Description

Improper permissions assigned to a temporary directory created during the upgrade process caused this vulnerability that exists in the client update feature of Cisco AnyConnect Secure Mobility Client Software and Cisco Secure Client Software running on Windows. A low-privileged, authenticated, local attacker may exploit this vulnerability by abusing a specific function of the Windows installer process. A successful attack could result in an attacker elevating privileges to those of the SYSTEM.

Note: For releases earlier than Release 5.0, Cisco Secure Client for Windows is known as Cisco AnyConnect Secure Mobility Client for Windows.

Exploitation Details

Filip Dragovic, the researcher who discovered the vulnerability, has released a proof-of-concept exploit on GitHub.

When a user connects to VPN, the vpndownloader.exe process starts in the background. The process creates a directory in c:\windows\temp with default permissions in <random numbers>.tmp format. After creating this directory, vpndownloader.exe will check if that directory is empty, and if it’s not, it will delete all files/directories from there. This flaw can be exploited to perform arbitrary file delete as NT Authority\SYSTEM account.

Affected Versions

  • Cisco Secure Client for Windows Software 5.0
  • Cisco AnyConnect Secure Mobility Client for Windows 4.10 and earlier

Mitigation

Cisco has released Cisco Secure Client for Windows Software 5.0MR2 and Cisco AnyConnect Secure Mobility Client for Windows 4.10MR7 to patch the vulnerability.

Customers can refer to the Cisco Security Advisory ( cisco-sa-ac-csc-privesc-wx4U4Kw) for information about the vulnerability.

Qualys Detection

Qualys customers can scan their devices with QID 378559 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw

Leave a Reply

Your email address will not be published. Required fields are marked *