Cisco finally patches months-old VPN security flaw

VPN
(Image credit: Shutterstock / Elaine333)
Audio player loading…

It’s taken Cisco almost six months to fix a critical zero-day arbitrary code execution vulnerability in the Cisco AnyConnect Secure Mobility Client VPN (opens in new tab) software. 

The Cisco Product Security Incident Response Team (PSIRT) initially disclosed the vulnerability (opens in new tab) in November 2020 without releasing a security update. 

Back in November PSIRT acknowledged the presence of a proof-of-concept code that exploited the vulnerability, tracked as CVE-2020-3556. However, even in its latest advisory announcing the fix, Cisco said it had found no evidence of attackers exploiting the vulnerability in the wild.

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window (opens in new tab)<<

The vulnerability exists in Cisco’s AnyConnect Secure Mobility Client, which enables remote (opens in new tab) employees to connect to the corporate network through a secure VPN connection established with the help of Secure Sockets Layer (SSL (opens in new tab)) and IPsec IKEv2 protocol.

A weakness in the inter-process communication (IPC) channel of the Secure Mobility Client could allow an authenticated, local attacker to allow a targeted AnyConnect user to execute a malicious script.

Update to mitigate

According to Cisco, the vulnerability existed due to a lack of authentication to the IPC listener. An attacker could exploit this shortcoming to send crafted IPC messages to the AnyConnect client IPC listener, which could then cause the targeted AnyConnect user to execute a script. 

As the company disclosed in November, successful exploitation requires active AnyConnect sessions and valid credentials on the targeted device.

The vulnerability is now addressed in the latest version of the Secure Mobility Client Software release. Cisco also said that customers who cannot immediately install the security updates can still mitigate the vulnerability by toggling off the Auto Update feature.

To further strengthen the security around its networking products, Cisco has recently acquired (opens in new tab) the makers of a threat assessment and vulnerability management platform, Kenna Security.

Via BleepingComputer (opens in new tab)

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.