The AnyConnect client has two critical bugs that would allow an authenticated attacker to take over the systems. Thus, Cisco warned them to apply the available patches. CISA, too, has added these bugs to its Known Exploited Vulnerabilities list.
Security Bugs in Cisco AnyConnect
One of the widely used software from Cisco – the AnyConnect Secure Mobility Client has been infested with two critical security vulnerabilities – tracked as CVE-2020-3433 and CVE-2020-3153, two years ago! Though Cisco released patches for both these bugs, several users haven’t patched their clients yet – putting themselves in trouble. And with Cisco observing a rise in attacks against these vulnerable AnyConnect clients, the company warned the remaining users to update them immediately. As per its advisory, the bugs would allow local attackers to conduct DLL hijacking attacks and copy files to system directories with system-level privileges. After this exploitation, they get the privilege to execute arbitrary code on the targeted Windows devices. Though attackers needed basic authentication before they did so, Cisco said that chaining these bugs with other Windows privilege escalation flaws could result in easy hacks. And with the proof-of-concept exploits of both these bugs already in the wild [1, 2], it’s not a hard way for attackers. These security vulnerabilities are so serious that CISA added them to its list of Known Exploited Vulnerabilities on Monday and asked its Federal Civilian Executive Branch Agencies (FCEB) agencies to update their AnyConnect clients immediately. Per the order, they’re now required to apply relevant patches or mitigation measures before November 11th to safeguard themselves from potential exploitation. Though it’s aimed at the US Federal agencies, the Cisco and CISA directives are recommended to be followed by all concerned organizations worldwide.