VPN Hijacking Bug

Cisco has released patches to address a high-severity security flaw impacting its Secure Client software that could be exploited by a threat actor to open a VPN session with that of a targeted user.

The networking equipment company described the vulnerability, tracked as CVE-2024-20337 (CVSS score: 8.2), as allowing an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.

Arising as a result of insufficient validation of user-supplied input, a threat actor could leverage the flaw to trick a user into clicking on a specially crafted link while establishing a VPN session.

“A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token,” the company said in an advisory.

“The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.”

The vulnerability impacts Secure Client for Windows, Linux, and macOS, and has been addressed in the following versions –

  • Earlier than 4.10.04065 (not vulnerable)
  • 4.10.04065 and later (fixed in 4.10.08025)
  • 5.0 (migrate to a fixed release)
  • 5.1 (fixed in 5.1.2.42)

Amazon security researcher Paulos Yibelo Mesfin has been credited with discovering and reporting the flaw, telling The Hacker News that the shortcoming allows attackers to access local internal networks when a target visits a website under their control.

Cisco has also published fixes for CVE-2024-20338 (CVSS score: 7.3), another high-severity flaw in Secure Client for Linux that could permit an authenticated, local attacker to elevate privileges on an affected device. It has been resolved in version 5.1.2.42.

“An attacker could exploit this vulnerability by copying a malicious library file to a specific directory in the filesystem and persuading an administrator to restart a specific process,” it said. “A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges.”