Any Connect Security Mobility ClientACE Vulnerability
Notice of an arbitrary code execution vulnerability (ACE) in Cisco AnyConnect Secure Mobility Client was published in November 2020 (CVE-2020-3556). The severity score of the vulnerability is 7.3 (High). However, Cisco has not yet released a software update to patch the vulnerability.
Cisco recently released workarounds to temporarily fix the vulnerability, and this means its users must manually check and apply the workarounds to keep themselves protected. We recommend that any organizations using Cisco’s AnyConnect Secure Mobility Client for Virtual Private Network (VPN) for connections monitor the threat closely, in case additional workarounds are needed, and upgrade to a new release as soon as it is available.
The vulnerability in Cisco AnyConnect Secure Mobility Client might expand the attack surface of a system. The vulnerability in this VPN product becomes a higher risk due to the recent and large-scale migration to working from in the wake of the COVID-19 pandemic. Therefore, The Cysiv threat research team has published this threat advisory to ensure our customers are well-informed and can take action to eliminate possible threats.
Exploits for this vulnerability can be embedded into malware and become a effective stepping stone for lateral movements. The vulnerability also allows one user access to another user’s data and execution space. This makes users of AnyConnect Secure Mobility Client software vulnerable to insider threats.
The vulnerability is classified as an arbitrary code execution vulnerability caused by the absence of necessary authentication elements for the interprocess communication channel (IPC) in the AnyConnect Secure Mobility Client software. The vulnerability allows an authenticated local attacker to send crafted IPC message to the AnyConnect client IPC listener and execute a script with the privileges of the targeted AnyConnect user. Cisco has listed the conditions to successfully exploit the vulnerability as following:
- Has user credential for the system on which the AnyConnect client is being run by the targeted user
- Able to execute code on the system
- An AnyConnect session established by the targeted user at the time of attack
It is relatively easy to obtain the information necessary to take advantage of this vulnerability, and exploits can be embedded into malware and become an effective stepping-stone for lateral movements. The vulnerability also allows one user access to another user’s data and execution space.
The vulnerability affects the following Cisco AnyConnect Secure Mobility Client Software:
- AnyConnect Secure Mobility Client for Windows
- AnyConnect Secure Mobility Client for MacOS
- AnyConnect Secure Mobility Client for Linux
To verify if the Cisco AnyConnect Secure Mobility Client Software you are running is affected or not, you can check the configuration file named AnyConnectLocalPolicy.xml. It can be found at the following locations:
- On Windows: %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\
- On MacOS and Linux: /opt/cisco/anyconnect/
In the configuration file, if the RestrictScriptWebDeploy setting has the default value of false(Version 4.9.04053 and later) or the BypassDownloadersetting has the default value of false(Version earlier than 4.9.04053), the software is vulnerable.
- Upgrading AnyConnect Secure Mobility Client to release 4.9.04053.
- Checking and editing the configuration file AnyConnectLocalPolicy.xml(the file path is mentioned in section Figure 1). The recommended configuration is shown in Figure 1.
Protection Provided by Cysiv
- 24x7 monitoring provides organizations with real time alerts and quick isolation and remediation to contain a threat during the early stages of an attack to prevent a compromise, data loss or breach.
- Human-led threat hunting helps to identify suspicious activity and digital footprints that are indicative of an intrusion.
- Anti-malware that may already be deployed (or can be deployed by Cysiv) on endpoints, for users, and that can be monitored as partof the Cysiv service, will constantly monitor for abnormal activities and block any connection to suspicious URLs, IPs and domains.
- Anti-malware that may already be deployed (or can be deployed by Cysiv) on servers and workloads, and that can be monitored as part of the Cysiv service, uses a variety of threat detection capabilities, notably behavioral analysis that protects against malicious scripts, injection, ransomware, memory and browser attacks related to fileless malware. Additionally, it will monitor events and quickly examines what processes or events are triggering malicious activity.
- Network security appliances that may already be deployed (or can be deployed by Cysiv) and that can be monitored as part of the Cysiv service will detect malicious attachments and URLs, and are able to identify suspicious communication in over 100 different protocols over any port. These appliances can also detect remote scripts even if they’re not being downloaded at the physical endpoint.