on 27/10/2022, by Michael Cooney, IDG NS (adapted by Jean Elyan), Security627 words
Software updates are available for two Cisco AnyConnect VPN products for Windows. According to the supplier, the vulnerabilities affecting these products represent a high threat.
Cisco is offering software updates for two of its AnyConnect for Windows products that it says are actively exploited. AnyConnect for Windows security software establishes VPN connectivity, provides access control, and supports other endpoint security features. As stated by Cisco, AnyConnect products for MacOS and Linux are not affected. The vendor has stated that its Product Security Incident Response Team (PSIRT) is aware thatproof-of-concept exploit code is available for the vulnerability described in this advisory. In October 2022, Cisco PSIRT became aware of further attempts to exploit this vulnerability in the wild. Cisco still strongly recommends that customers upgrade to a patched software release to address this vulnerability, the vendor said in its advisory for both vulnerabilities. There is no workaround, but software updates are available to fix it, the OEM said.
The first vulnerability relates to a weakness in the interprocess communication (IPC) channel of the Cisco AnyConnect Secure Mobility Client for Windows. This could allow an authenticated local attacker to perform a Microsoft Dynamic Link Library (DLL) hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system, the vendor said. The vulnerability results from insufficient validation of the resources loaded by the application at runtime. An attacker could exploit this vulnerability by sending a modified IPC message to the AnyConnect process, Cisco explained. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.Cisco has addressed this vulnerability in AnyConnect Secure Mobility Client for Windows versions 4.9.00086 and later.
Meraki impact equipment
The second vulnerability concerns the installation component of AnyConnect Secure Mobility Client for Windows. It could allow an authenticated local attacker to copy user-provided files into system-level directories with elevated privileges. The vulnerability is a result of improper management of directory paths, the vendor said. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. This could include DLL preloading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker must have valid credentials on the Windows system, Cisco also said. AnyConnect Secure Mobility Client for Windows versions 4.8.02042 and later address the vulnerability.
In addition to this Windows weakness,Cisco recently fixed a vulnerability in the AnyConnect VPN server of Meraki MX and Meraki Z3 Teleworker Gateway devices. This vulnerability, which has not been observed to be exploited in the wild, results from insufficient validation of customer-provided parameters when establishing an SSL VPN session, Cisco said. An attacker could exploit this vulnerability by creating a malicious request and sending it to the affected device, the San Jos firm added. A successful exploit could allow the attacker to crash and restart the Cisco AnyConnect VPN server, causing established SSL VPN connections to fail and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established, Cisco said. When attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without the need for manual intervention, the vendor notes.