A high-severity flaw in Cisco Secure Client Software for Windows (formerly AnyConnect Secure Mobility Client) that permits attackers to elevate privileges to SYSTEM has proof-of-concept exploit code now available.
Utilizing a secure Virtual Private Network (VPN), Cisco Secure Client enables employees to work from any location and offers endpoint management and telemetry features for network administrators.
In low-complexity attacks that do not require user interaction, the vulnerability (tracked as CVE-2023-20178) allows authenticated threat actors to escalate privileges to the SYSTEM account that is utilized by the Windows operating system.
Abusing what Cisco refers to as a “specific function of the Windows installer process” is necessary for successful exploitation.
When Cisco stated that its Product Security Incident Response Team (PSIRT) did not have evidence of malicious use or public exploit code targeting the bug in the wild, it released security updates on Tuesday to address the issue.
With the release of AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2, CVE-2023-20178 was fixed.
Security researcher Filip Dragovi, who discovered and reported the Arbitrary File Delete vulnerability to Cisco, published proof-of-concept (PoC) exploit code earlier this week.
This proof-of-concept was tested against Cisco Secure Client (on 5.0.01242) and Cisco AnyConnect (on 4.10.06079), as Dragovi explains.
“The vpndownloader.exe process starts in the background when a user connects to a vpn. It will create a directory in c:windowstemp with default permissions in the following format: “random numbers>.tmp,” according to the researcher.
“If that directory is not empty after it has been created, vpndownloader.exe will delete all of its files and directories.” It is possible to abuse this behavior to delete any file as the NT Authority SYSTEM account.”
Taking advantage of this behavior of the Windows installer and the fact that a client update process is executed after each successful VPN connection, the attacker can then spawn a SYSTEM shell through arbitrary file deletion using the method described here to increase privileges.
Due to active exploitation in attacks, Cisco issued a warning to customers in October to patch two additional AnyConnect security flaws that had been fixed three years earlier and contained public exploit code.
Two years ago, in May 2021, six months after its initial disclosure in November 2020, Cisco patched an AnyConnect zero-day with public exploit code.