PoC Exploit Published for High-Severity Vulnerability in Cisco AnyConnect Secure: A high-severity vulnerability (CVE-2023-20178) in Cisco AnyConnect Secure has been targeted by a security researcher who published a proof-of-concept (PoC) exploit code.
This vulnerability impacts the client update process of the software, potentially allowing local attackers to elevate their privileges and execute code with System privileges.
Key Takeaways on High-Severity Vulnerability in Cisco AnyConnect Secure:
Table of Contents
- A high-severity vulnerability (CVE-2023-20178) in Cisco AnyConnect Secure has been targeted with a PoC exploit code.
- The vulnerability allows local attackers with low privileges to elevate their access and execute code with System privileges.
- Cisco has released updated versions of the affected software to address the vulnerability.
A security researcher has released proof-of-concept (PoC) code that targets a recently patched high-severity vulnerability found in the Cisco AnyConnect Secure Mobility Client and Secure Client for Windows.
These software solutions enable remote employees to connect to organizational networks through a secure virtual private network (VPN) and provide monitoring capabilities.
The Vulnerability and its Impact
Tracked as CVE-2023-20178 with a CVSS score of 7.8, this security flaw affects the client update process of the software. It allows a local attacker with low privileges to escalate their access and execute code with System privileges.
Cisco explains that the vulnerability stems from improper permissions assigned to a temporary directory created during the update process. Exploiting a specific function of the Windows installer process enables attackers to abuse this vulnerability.
The Arbitrary Folder Delete Issue
During the software update process, a temporary folder is created to store modified file copies for potential rollback if the installation process is incomplete. This vulnerability arises from an arbitrary folder delete issue.
An attacker who is aware of this temporary folder can run an exploit containing an executable file designed to initiate an update process but trigger a rollback midway.
Concurrently, the exploit continuously replaces the contents of the temporary folder with malicious files.
The PoC Exploit and Impact
Filip Dragovic, the security researcher who reported CVE-2023-20178 to Cisco, has released a PoC that operates similarly, causing an arbitrary file deletion with System privileges.
The researcher tested the PoC on Secure Client version 5.0.01242 and AnyConnect Secure Mobility Client version 4.10.06079. Only the Windows versions of the software are affected.
Cisco’s Response and Patch
In early June, Cisco addressed CVE-2023-20178 by releasing updated versions of the affected software. AnyConnect Secure Mobility Client version 4.10.07061 and Secure Client version 5.0.02075 contain the necessary fixes to mitigate the vulnerability.
Conclusion
The publication of a PoC exploit for the high-severity vulnerability in Cisco AnyConnect Secure highlights the importance of promptly patching software vulnerabilities.
Organizations using the affected versions of AnyConnect Secure Mobility Client and Secure Client for Windows should update to the patched versions provided by Cisco to mitigate the risks associated with this vulnerability.
