It’s taken Cisco almost six months to fix a critical zero-day arbitrary code execution vulnerability in the Cisco AnyConnect Secure Mobility Client VPN (opens in new tab) software.
The Cisco Product Security Incident Response Team (PSIRT) initially disclosed the vulnerability (opens in new tab) in November 2020 without releasing a security update.
Back in November PSIRT acknowledged the presence of a proof-of-concept code that exploited the vulnerability, tracked as CVE-2020-3556. However, even in its latest advisory announcing the fix, Cisco said it had found no evidence of attackers exploiting the vulnerability in the wild.
We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.
>> Click here to start the survey in a new window (opens in new tab)<<
- These are some of the best endpoint protection software (opens in new tab) offerings around
- We’ve built a list of the best business VPN (opens in new tab) solutions on the market
- Check our list of the best firewall apps and services (opens in new tab)
The vulnerability exists in Cisco’s AnyConnect Secure Mobility Client, which enables remote (opens in new tab) employees to connect to the corporate network through a secure VPN connection established with the help of Secure Sockets Layer (SSL (opens in new tab)) and IPsec IKEv2 protocol.
A weakness in the inter-process communication (IPC) channel of the Secure Mobility Client could allow an authenticated, local attacker to allow a targeted AnyConnect user to execute a malicious script.
Update to mitigate
According to Cisco, the vulnerability existed due to a lack of authentication to the IPC listener. An attacker could exploit this shortcoming to send crafted IPC messages to the AnyConnect client IPC listener, which could then cause the targeted AnyConnect user to execute a script.
As the company disclosed in November, successful exploitation requires active AnyConnect sessions and valid credentials on the targeted device.
The vulnerability is now addressed in the latest version of the Secure Mobility Client Software release. Cisco also said that customers who cannot immediately install the security updates can still mitigate the vulnerability by toggling off the Auto Update feature.
To further strengthen the security around its networking products, Cisco has recently acquired (opens in new tab) the makers of a threat assessment and vulnerability management platform, Kenna Security.
- The results are in - we reveal the best overall VPNs in 2021
Via BleepingComputer (opens in new tab)