Cisco addressed a high-severity flaw in Cisco Secure Client that can allow attackers to escalate privileges to the SYSTEM account.

Cisco has fixed a high-severity vulnerability, tracked as CVE-2023-20178 (CVSS Score 7.8), found in Cisco Secure Client (formerly AnyConnect Secure Mobility Client) that can be exploited by low-privileged, authenticated, local attacker to escalate privileges to the SYSTEM account.

“A vulnerability in the client update feature of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM.” reads the advisory published by the company.

“An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.”

The vulnerability stems from improper permissions assigned to a temporary directory that is created during the upgrade process.

Cisco Secure Client is a software platform designed to provide secure remote access to corporate networks for employees or authorized users. The Cisco Secure Client offers a range of features and functionalities to ensure secure connectivity and protect data during remote access sessions. It supports robust authentication mechanisms, encryption protocols, and network access controls to protect sensitive information and prevent unauthorized access.

The company recommends customers to upgrade to an appropriate fixed software release as indicated in the table below.

CISCO ANYCONNECT SECURE MOBILITY CLIENT FOR WINDOWS SOFTWAREFIRST FIXED RELEASE
4.10 and earlier4.10MR7
CISCO SECURE CLIENT FOR WINDOWS SOFTWAREFIRST FIXED RELEASE
5.05.0MR2

The vulnerability was discovered by Filip Dragovic, according to the advisory there are no workarounds that address the issue.

The Cisco Product Security Incident Response Team (PSIRT) is not aware of attacks exploiting this vulnerability in the wild.

The company pointed out that the flaw does not affect the following products:

  • Cisco AnyConnect Secure Mobility Client for Linux
  • Cisco AnyConnect Secure Mobility Client for MacOS
  • Cisco Secure Client-AnyConnect for Android
  • Cisco Secure Client AnyConnect VPN for iOS
  • Cisco Secure Client for Linux
  • Cisco Secure Client for MacOS

 

[출처 : SecurityAffairs / 6.8.]