Cisco finally patches months-old VPN security flaw

News
By published

But it says there’s no evidence of the vulnerability being exploited in the wild

VPN
(Image credit: Shutterstock / Elaine333)

It’s taken Cisco almost six months to fix a critical zero-day arbitrary code execution vulnerability in the Cisco AnyConnect Secure Mobility Client VPN software. 

The Cisco Product Security Incident Response Team (PSIRT) initially disclosed the vulnerability in November 2020 without releasing a security update. 

Back in November PSIRT acknowledged the presence of a proof-of-concept code that exploited the vulnerability, tracked as CVE-2020-3556. However, even in its latest advisory announcing the fix, Cisco said it had found no evidence of attackers exploiting the vulnerability in the wild.

TechRadar needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

The vulnerability exists in Cisco’s AnyConnect Secure Mobility Client, which enables remote employees to connect to the corporate network through a secure VPN connection established with the help of Secure Sockets Layer (SSL) and IPsec IKEv2 protocol.

A weakness in the inter-process communication (IPC) channel of the Secure Mobility Client could allow an authenticated, local attacker to allow a targeted AnyConnect user to execute a malicious script.

Update to mitigate

According to Cisco, the vulnerability existed due to a lack of authentication to the IPC listener. An attacker could exploit this shortcoming to send crafted IPC messages to the AnyConnect client IPC listener, which could then cause the targeted AnyConnect user to execute a script. 

As the company disclosed in November, successful exploitation requires active AnyConnect sessions and valid credentials on the targeted device.

The vulnerability is now addressed in the latest version of the Secure Mobility Client Software release. Cisco also said that customers who cannot immediately install the security updates can still mitigate the vulnerability by toggling off the Auto Update feature.

To further strengthen the security around its networking products, Cisco has recently acquired the makers of a threat assessment and vulnerability management platform, Kenna Security.

Via BleepingComputer

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Cisco patches critical security issues, so update now
vpn
Ivanti warns another critical security flaw is being attacked
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
Latest in VPN Privacy & Security
Neon blue email symbols on a black background
Why am I suddenly getting so many spam emails?
A computer file surrounded by red laser beams
Cover your tracks: the risk of sending unencrypted files
Using an Amazon Fire Stick on a Smart TV
How to use a VPN with Fire Stick
Close up of PS5 DualSense controller leaning on a PS5
5 reasons your PS5 needs a VPN
Tor
What is Onion over VPN?
In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
Latest in News
Stability AI 3D Video
Stability AI’s new virtual camera turns any image into a cool 3D video and I’m blown away by how good it is
The Google Wallet app with a mode for kids shown on-screen.
Google Wallet’s new kid-friendly payment system is a win for parents
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
More about vpn privacy security
Neon blue email symbols on a black background

Why am I suddenly getting so many spam emails?
A computer file surrounded by red laser beams

Cover your tracks: the risk of sending unencrypted files
Hello from the XPPen Magic Note Pad

The XPPen Magic Note Pad is the drawing tablet-maker's first digital writing tablet and after just two weeks, I can't do without it
See more latest
Most Popular
The Google Wallet app with a mode for kids shown on-screen.
Google Wallet’s new kid-friendly payment system is a win for parents
Comino Grando Server
Puget Systems partners with Comino to bring more affordable liquid cooled dual-CPU, 8-GPU systems to the masses
Stability AI 3D Video
Stability AI’s new virtual camera turns any image into a cool 3D video and I’m blown away by how good it is
Elecom 9,000mAh sodium-ion battery
This is the world's first sodium-ion mobile battery, a game changer in environmental sustainability, but it's not cheap
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
Data center server room lit with green lights
Microsoft is MIA as Amazon, Meta, Google and others join consortium to triple nuclear energy output by 2050
Thrustmaster Sol-R flight stick
Thrustmaster announces the Sol-R 1 and Sol-R 2 HOSAS flight sticks designed for space sims like Elite Dangerous
Image of AC Shadows cover art &amp; Steam Deck
It's not perfect, but Assassin's Creed Shadows' performance is impressive - it runs smoothly on the Steam Deck and Asus ROG Ally
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months