Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-3556 (GCVE-0-2020-3556)
Vulnerability from cvelistv5
Published
2020-11-06 18:16
Modified
2024-11-13 17:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco AnyConnect Secure Mobility Client |
Version: n/a |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:37:54.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20201104 Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-3556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-13T17:17:14.365518Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T17:43:22.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco AnyConnect Secure Mobility Client",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-11-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-06T18:16:22",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20201104 Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
}
],
"source": {
"advisory": "cisco-sa-anyconnect-ipc-KfQO9QhK",
"defect": [
[
"CSCvv30103"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2020-11-04T16:00:00",
"ID": "CVE-2020-3556",
"STATE": "PUBLIC",
"TITLE": "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco AnyConnect Secure Mobility Client",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "7.3",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20201104 Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
}
]
},
"source": {
"advisory": "cisco-sa-anyconnect-ipc-KfQO9QhK",
"defect": [
[
"CSCvv30103"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2020-3556",
"datePublished": "2020-11-06T18:16:22.303918Z",
"dateReserved": "2019-12-12T00:00:00",
"dateUpdated": "2024-11-13T17:43:22.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-3556\",\"sourceIdentifier\":\"ykramarz@cisco.com\",\"published\":\"2020-11-06T19:15:14.657\",\"lastModified\":\"2024-11-21T05:31:18.510\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en el canal interprocess communication (IPC) de Cisco AnyConnect Secure Mobility Client Software, podr\u00eda permitir a un atacante local autenticado causar que un usuario de AnyConnect apuntado ejecute un script malicioso.\u0026#xa0;La vulnerabilidad es debido a una falta de autenticaci\u00f3n del oyente de IPC.\u0026#xa0;Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo mensajes IPC dise\u00f1ados a la escucha de IPC del cliente AnyConnect.\u0026#xa0;Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir a un atacante causar que el usuario apuntado de AnyConnect ejecute un script.\u0026#xa0;Este script se ejecutar\u00eda con los privilegios del usuario de AnyConnect apuntado.\u0026#xa0;Para explotar con \u00e9xito esta vulnerabilidad, debe haber una sesi\u00f3n AnyConnect en curso por parte del usuario apuntado en el momento del ataque.\u0026#xa0;Para explotar esta vulnerabilidad,\u0026#xa0;el atacante tambi\u00e9n podr\u00eda necesitar credenciales de usuario v\u00e1lidas en el sistema en el esta siendo ejecutado el cliente AnyConnect.\u0026#xa0;Cisco no ha publicado actualizaciones de software que abordan esta vulnerabilidad\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ykramarz@cisco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":4.4,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"ykramarz@cisco.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.9\\\\(3052\\\\):*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5AC53A63-24BB-473B-9B50-00FB9FF003B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:anyconnect_secure_mobility_client:98.145\\\\(86\\\\):*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BCD36939-539A-4437-98FC-93488229CDCA\"}]}]}],\"references\":[{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK\",\"source\":\"ykramarz@cisco.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK\", \"name\": \"20201104 Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T07:37:54.975Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2020-3556\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-13T17:17:14.365518Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-13T17:19:33.889Z\"}}], \"cna\": {\"title\": \"Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability\", \"source\": {\"defect\": [[\"CSCvv30103\"]], \"advisory\": \"cisco-sa-anyconnect-ipc-KfQO9QhK\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Cisco\", \"product\": \"Cisco AnyConnect Secure Mobility Client\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"exploits\": [{\"lang\": \"en\", \"value\": \"The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.\"}], \"datePublic\": \"2020-11-04T00:00:00\", \"references\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK\", \"name\": \"20201104 Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20\"}]}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2020-11-06T18:16:22\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"version\": \"3.0\", \"baseScore\": \"7.3\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\"}}, \"source\": {\"defect\": [[\"CSCvv30103\"]], \"advisory\": \"cisco-sa-anyconnect-ipc-KfQO9QhK\", \"discovery\": \"INTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"n/a\"}]}, \"product_name\": \"Cisco AnyConnect Secure Mobility Client\"}]}, \"vendor_name\": \"Cisco\"}]}}, \"exploit\": [{\"lang\": \"en\", \"value\": \"The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.\"}], \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK\", \"name\": \"20201104 Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability\", \"refsource\": \"CISCO\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-20\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2020-3556\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability\", \"ASSIGNER\": \"psirt@cisco.com\", \"DATE_PUBLIC\": \"2020-11-04T16:00:00\"}}}}",
"cveMetadata": "{\"cveId\": \"CVE-2020-3556\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-13T17:43:22.675Z\", \"dateReserved\": \"2019-12-12T00:00:00\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"datePublished\": \"2020-11-06T18:16:22.303918Z\", \"assignerShortName\": \"cisco\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
fkie_cve-2020-3556
Vulnerability from fkie_nvd
Published
2020-11-06 19:15
Modified
2024-11-21 05:31
Severity ?
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | anyconnect_secure_mobility_client | 4.9\(3052\) | |
| cisco | anyconnect_secure_mobility_client | 98.145\(86\) |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.9\\(3052\\):*:*:*:*:*:*:*",
"matchCriteriaId": "5AC53A63-24BB-473B-9B50-00FB9FF003B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:98.145\\(86\\):*:*:*:*:*:*:*",
"matchCriteriaId": "BCD36939-539A-4437-98FC-93488229CDCA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability."
},
{
"lang": "es",
"value": "Una vulnerabilidad en el canal interprocess communication (IPC) de Cisco AnyConnect Secure Mobility Client Software, podr\u00eda permitir a un atacante local autenticado causar que un usuario de AnyConnect apuntado ejecute un script malicioso.\u0026#xa0;La vulnerabilidad es debido a una falta de autenticaci\u00f3n del oyente de IPC.\u0026#xa0;Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo mensajes IPC dise\u00f1ados a la escucha de IPC del cliente AnyConnect.\u0026#xa0;Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir a un atacante causar que el usuario apuntado de AnyConnect ejecute un script.\u0026#xa0;Este script se ejecutar\u00eda con los privilegios del usuario de AnyConnect apuntado.\u0026#xa0;Para explotar con \u00e9xito esta vulnerabilidad, debe haber una sesi\u00f3n AnyConnect en curso por parte del usuario apuntado en el momento del ataque.\u0026#xa0;Para explotar esta vulnerabilidad,\u0026#xa0;el atacante tambi\u00e9n podr\u00eda necesitar credenciales de usuario v\u00e1lidas en el sistema en el esta siendo ejecutado el cliente AnyConnect.\u0026#xa0;Cisco no ha publicado actualizaciones de software que abordan esta vulnerabilidad"
}
],
"id": "CVE-2020-3556",
"lastModified": "2024-11-21T05:31:18.510",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-06T19:15:14.657",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CERTFR-2020-AVI-713
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Cisco. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
- SD-WAN versions antérieures à 20.1.2
- SD-WAN versions antérieures à 20.3.2
- application Webex Meetings Desktop pour Windows 40.6.x versions antérieures à 40.6.9
- application Webex Meetings Desktop pour Windows 40.8.x versions antérieures à 40.8.9
- Webex Meetings sites 40.6.x versions antérieures à 40.6.11
- Webex Meetings sites 40.8.x versions antérieures à 40.8.0
- Webex Meetings Server 3.x versions antérieures à 3.0MR3 SP4
- Webex Meetings Server 4.x versions antérieures à 4.0MR3 SP4
- application Cisco AnyConnect Secure Mobility toutes versions avec les options "Auto Update" et "Enable Scripting" activées
- Cisco IOS XR pour ASR 9000 versions antérieures à 6.5.2 avec une version de BIOS antérieure à 10.65, 14.35, 16.14, 17.34, 22.20, 30.23 ou 31.20 en fonction du matériel
- Cisco IOS XR pour NCS 1000 versions antérieures à 7.1.1 avec une version de BIOS antérieure à 14.60
- Cisco IOS XR pour NCS 540 versions antérieures à 7.2.1 avec une version de BIOS antérieure à 1.15
- Cisco IOS XR pour NCS 560 versions antérieures à 6.6.3, 6.6.24 et 7.0.2 avec une version de BIOS antérieure à 0.14
- Cisco IOS XR pour NCS 5000 versions antérieures à 7.2.1 avec une version de BIOS antérieure à 1.13 ou 1.14 en fonction du matériel
- Cisco IOS XR pour NCS 5500 versions antérieures à 6.6.3 et 6.6.24 avec une version de BIOS antérieure à 9.30, 1.21 ou 1.12 en fonction du matériel
Les versions SD-WAN 18.x et 19.x sont également affectées et doivent faire l'objet d'une mise à jour vers les versions ci-dessus.
Impacted products
| Vendor | Product | Description |
|---|
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cul\u003e \u003cli\u003eSD-WAN versions ant\u00e9rieures \u00e0 20.1.2\u003c/li\u003e \u003cli\u003eSD-WAN versions ant\u00e9rieures \u00e0 20.3.2\u003c/li\u003e \u003cli\u003eapplication Webex Meetings Desktop pour Windows 40.6.x versions ant\u00e9rieures \u00e0 40.6.9\u003c/li\u003e \u003cli\u003eapplication Webex Meetings Desktop pour Windows 40.8.x versions ant\u00e9rieures \u00e0 40.8.9\u003c/li\u003e \u003cli\u003eWebex Meetings sites 40.6.x versions ant\u00e9rieures \u00e0 40.6.11\u003c/li\u003e \u003cli\u003eWebex Meetings sites 40.8.x versions ant\u00e9rieures \u00e0 40.8.0\u003c/li\u003e \u003cli\u003eWebex Meetings Server 3.x versions ant\u00e9rieures \u00e0 3.0MR3 SP4\u003c/li\u003e \u003cli\u003eWebex Meetings Server 4.x versions ant\u00e9rieures \u00e0 4.0MR3 SP4\u003c/li\u003e \u003cli\u003e\u003cspan class=\"more\"\u003eapplication Cisco\u00a0AnyConnect Secure Mobility toutes versions avec les options \"Auto Update\" et \"Enable Scripting\" activ\u00e9es\u003c/span\u003e\u003c/li\u003e \u003cli\u003eCisco IOS XR pour ASR 9000 versions ant\u00e9rieures \u00e0 6.5.2 avec une version de BIOS ant\u00e9rieure \u00e0 10.65, 14.35, 16.14, 17.34, 22.20, 30.23 ou 31.20 en fonction du mat\u00e9riel\u003c/li\u003e \u003cli\u003eCisco IOS XR pour NCS 1000 versions ant\u00e9rieures \u00e0 7.1.1 avec une version de BIOS ant\u00e9rieure \u00e0 14.60\u003c/li\u003e \u003cli\u003eCisco IOS XR pour NCS 540 versions ant\u00e9rieures \u00e0 7.2.1 avec une version de BIOS ant\u00e9rieure \u00e0 1.15\u003c/li\u003e \u003cli\u003eCisco IOS XR pour NCS 560 versions ant\u00e9rieures \u00e0 6.6.3, 6.6.24 et 7.0.2 avec une version de BIOS ant\u00e9rieure \u00e0 0.14\u003c/li\u003e \u003cli\u003eCisco IOS XR pour NCS 5000 versions ant\u00e9rieures \u00e0 7.2.1 avec une version de BIOS ant\u00e9rieure \u00e0 1.13 ou 1.14 en fonction du mat\u00e9riel\u003c/li\u003e \u003cli\u003eCisco IOS XR pour NCS 5500 versions ant\u00e9rieures \u00e0 6.6.3 et 6.6.24 avec une version de BIOS ant\u00e9rieure \u00e0 9.30, 1.21 ou 1.12 en fonction du mat\u00e9riel\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eLes versions SD-WAN 18.x et 19.x sont \u00e9galement affect\u00e9es et doivent faire l\u0027objet d\u0027une mise \u00e0 jour vers les versions ci-dessus.\u003c/p\u003e ",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-3284",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-3284"
},
{
"name": "CVE-2020-3600",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-3600"
},
{
"name": "CVE-2020-3556",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-3556"
},
{
"name": "CVE-2020-26074",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26074"
},
{
"name": "CVE-2020-3574",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-3574"
},
{
"name": "CVE-2020-3595",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-3595"
},
{
"name": "CVE-2020-26071",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26071"
},
{
"name": "CVE-2020-3593",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-3593"
},
{
"name": "CVE-2020-3603",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-3603"
},
{
"name": "CVE-2020-3573",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-3573"
},
{
"name": "CVE-2020-3604",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-3604"
},
{
"name": "CVE-2020-26073",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26073"
},
{
"name": "CVE-2020-3588",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-3588"
}
],
"initial_release_date": "2020-11-05T00:00:00",
"last_revision_date": "2020-11-06T00:00:00",
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-anyconnect-ipc-KfQO9QhK du 04 f\u00e9vrier 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
},
{
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-vepegr-4xynYLUj du 04 f\u00e9vrier 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vepegr-4xynYLUj"
},
{
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2 du 04 f\u00e9vrier 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2"
}
],
"reference": "CERTFR-2020-AVI-713",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-11-05T00:00:00.000000"
},
{
"description": "ajout des syst\u00e8mes affect\u00e9s manquants et correction de dates erron\u00e9es",
"revision_date": "2020-11-06T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Cisco.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Cisco",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-vman-traversal-hQh24tmk du 04 novembre 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-escalation-Jhqs5Skf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-webex-vdi-qQrpBwuJ du 04 novembre 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-vdi-qQrpBwuJ"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-vepegr-4xynYLUj du 04 novembre 2020",
"url": null
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-vepeshlg-tJghOQcA du 04 novembre 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vepeshlg-tJghOQcA"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-vmanage-escalation-Jhqs5Skf du 04 novembre 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-escalation-Jhqs5Skf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-vsoln-arbfile-gtsEYxns du 04 novembre 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vsoln-arbfile-gtsEYxns"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-vepescm-BjgQm4vJ du 04 novembre 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vepescm-BjgQm4vJ"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-webex-nbr-NOS6FQ24 du 04 novembre 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-nbr-NOS6FQ24"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-anyconnect-ipc-KfQO9QhK du 04 novembre 2020",
"url": null
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-iosxr-pxe-unsign-code-exec-qAa78fD2 du 04 novembre 2020",
"url": null
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-voip-phone-flood-dos-YnU9EXOv du 04 novembre 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phone-flood-dos-YnU9EXOv"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-vepestd-8C3J9Vc du 04 novembre 2020",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vepestd-8C3J9Vc"
}
]
}
cisco-sa-anyconnect-ipc-KfQO9QhK
Vulnerability from csaf_cisco
Published
2020-11-04 16:00
Modified
2021-05-21 18:06
Summary
Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability
Notes
Summary
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.
The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.
Note: To successfully exploit this vulnerability, an attacker would need all of the following:
Valid user credentials on the system on which the AnyConnect client is being run by the targeted user.
To be able to log in to that system while the targeted user either has an active AnyConnect session established or establishes a new AnyConnect session.
To be able to execute code on that system.
Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.
Vulnerable Products
This vulnerability affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.10.00093 for the following platforms if they have a vulnerable configuration:
AnyConnect Secure Mobility Client for Windows
AnyConnect Secure Mobility Client for MacOS
AnyConnect Secure Mobility Client for Linux
The following subsections describe how to determine vulnerability for specific releases of Cisco AnyConnect Secure Mobility Client Software. The release of Cisco AnyConnect Secure Mobility Client Software that is running on the end machine determines which configurations the user must check.
The configuration settings discussed in the following subsections are in the AnyConnectLocalPolicy.xml file. This file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037
The vulnerability described in this advisory affects Cisco AnyConnect Secure Mobility Client Software releases 4.9.04053, 4.9.05042, and 4.9.06037 if RestrictScriptWebDeploy is set to the default value of false.
To verify the RestrictScriptWebDeploy configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line:
<RestrictScriptWebDeploy>false</RestrictScriptWebDeploy>
If RestrictScriptWebDeploy is set to false, RestrictScriptWebDeploy is disabled and the device is affected by this vulnerability. If RestrictScriptWebDeploy is set to true, RestrictScriptWebDeploy is enabled and the device is not affected by this vulnerability.
See the Workarounds ["#workarounds"] section for additional optional but recommended settings.
Cisco AnyConnect Secure Mobility Client Software Releases Earlier than Release 4.9.04053
The vulnerability described in this advisory affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.9.04053 if BypassDownloader is set to the default value of false.
To verify the BypassDownloader configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line:
<BypassDownloader>false</BypassDownloader>
If BypassDownloader is set to false, BypassDownloader is disabled and the device is affected by this vulnerability. If BypassDownloader is set to true, BypassDownloader is enabled and the device is not affected by this vulnerability.
Note: Setting BypassDownloader to true is not a recommended configuration. See the Workarounds ["#workarounds"] section for more details.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.
This vulnerability does not affect Cisco AnyConnect Secure Mobility Client for Apple iOS or Android platforms or for the Universal Windows Platform.
Details
Details about the vulnerability are as follows.
This vulnerability is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device.
This vulnerability is not remotely exploitable, as it requires local credentials on the end-user device for the attacker to take action on the local system.
This vulnerability is not a privilege elevation exploit. The scripts run at the user level by default. If the local AnyConnect user manually raises the privilege of the User Interface process, the scripts would run at elevated privileges.
This vulnerability’s CVSS score is high because, for configurations where the vulnerability is exploitable, it allows one user access to another user’s data and execution space.
Workarounds
Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062"] via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.
The settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations ["#Recommendations"] section of this advisory.
Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093
Releases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv30103"] with no additional configuration required. See the Recommendations ["#Recommendations"] section for additional optional but recommended settings.
Upgrade instructions for systems where workarounds were previously applied
This section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes ["https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html"] or Configuration Guide ["https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/deploy-anyconnect.html?bookSearch=true"].
The following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
AnyConnect Secure Mobility Client Software Release AnyConnectLocalPolicy.xml Settings Instructions
Earlier than 4.9.04053
Previously deployed AnyConnectLocalPolicy.xml settings:
BypassDownloader= true
New AnyConnectLocalPolicy.xml settings:
BypassDownloader=false
Upgrade to 4.10 using a predeploy method.
Redistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations ["#Recommendations"] section.
4.9.04053, 4.9.05042, 4.9.06037
Previously deployed AnyConnectLocalPolicy.xml settings:
RestrictScriptWebDeploy=true
RestrictHelpWebDeploy=true
RestrictResourceWebDeploy=true
RestrictLocalizationWebDeploy=true
BypassDownloader=false
New AnyConnectLocalPolicy.xml settings:
RestrictScriptWebDeploy=false
RestrictHelpWebDeploy=false
RestrictResourceWebDeploy=false
RestrictLocalizationWebDeploy=false
BypassDownloader=false
Upgrade to 4.10 using either a predeploy or webdeploy method.
Redistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations ["#Recommendations"] section.
1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.
Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037 For customers who have already applied the RestrictScriptWebDeploy workaround
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.
To restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations ["#Recommendations"] section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment.
There are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes ["https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html#Cisco_Reference.dita_79c2fd57-db64-4449-9072-26e62e46630b"] or Cisco bug ID CSCvw48062 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062"]. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.
RestrictScriptWebDeploy
RestrictHelpWebDeploy
RestrictResourceWebDeploy
RestrictLocalizationWebDeploy
The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.
Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
macOS:/opt/cisco/anyconnect/
Linux:/opt/cisco/anyconnect/
Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:
<RestrictScriptWebDeploy>false</RestrictScriptWebDeploy>
<RestrictHelpWebDeploy>false</RestrictHelpWebDeploy> <RestrictResourceWebDeploy>false</RestrictResourceWebDeploy> <RestrictLocalizationWebDeploy>false</RestrictLocalizationWebDeploy>
Change that setting to true, as shown in the following example:
<RestrictScriptWebDeploy>true</RestrictScriptWebDeploy>
<RestrictHelpWebDeploy>true</RestrictHelpWebDeploy> <RestrictResourceWebDeploy>true</RestrictResourceWebDeploy> <RestrictLocalizationWebDeploy>true</RestrictLocalizationWebDeploy>
Verify that the BypassDownloader setting is correct by looking for the following line:
<BypassDownloader>false</BypassDownloader>
If the BypassDownloader setting is true, change it to false, as shown in the following example:
<BypassDownloader>false</BypassDownloader>
Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.
Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053 For customers who have already applied the BypassDownloader mitigation
For customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations ["#Recommendations"] section.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.
Warning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.
Note: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:
All future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.
AnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.
The procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.
Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
macOS:/opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:
<BypassDownloader>false</BypassDownloader>
Change that setting to true, as shown in the following example:
<BypassDownloader>true</BypassDownloader>
Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.
Fixed Software
Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html ["https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"]
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"]
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
Cisco fixed this vulnerability in Cisco AnyConnect Secure Mobility Client Software releases 4.10.00093 and later.
Recommendations
Cisco AnyConnect Secure Mobility Client Software 4.10.00093 introduced new settings. It is now possible to individually allow/disallow scripts, help, resources, or localization updates in the local policy. These new settings are strongly recommended for increased protection. The full set of restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the AnyConnect Local Policy ["https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/anyconnect-profile-editor.html?bookSearch=true#ID-1430-000002bf%20%20"] section of the administrator guide.
Configuration Setting Name Default Value Recommended Configuration Setting Value StrictCertificateTrust False True RestrictServerCertStore False True AllowSoftwareUpdatesFromAnyServer True False AllowComplianceUpdatesModuleFromAnyServer True False AllowManagementVPNProfileUpdatesFromAnyServer True False AllowISEPostureProfileUpdatesFromAnyServer True False AllowServiceProfileUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowHelpUpdatesFromAnyServer True False AllowResourceUpdatesFromAnyServer True False AllowLocalizationUpdatesFromAnyServer True False ServerName Blank List of authorized servers.
Can use wildcards, for example *.cisco.com
BypassDownloader is not a new setting, but ensure that it is set to false.
Configuration Setting Name Default Value Recommended Configuration Setting Value BypassDownloader False False
To configure the recommended settings on Release 4.10.00093 and later, edit the AnyConnectLocalPolicy.xml file to change configuration values to the recommended values listed in the preceding table. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines.
The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.
Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
macOS:/opt/cisco/anyconnect/
Linux:/opt/cisco/anyconnect/
Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:
<BypassDownloader>false</BypassDownloader>
<StrictCertificateTrust>true</StrictCertificateTrust>
<RestrictServerCertStore>true</RestrictServerCertStore>
<AllowSoftwareUpdatesFromAnyServer>false</AllowSoftwareUpdatesFromAnyServer>
<AllowComplianceUpdatesModuleFromAnyServer>false</AllowComplianceUpdatesModuleFromAnyServer>
<AllowManagementVPNProfileUpdatesFromAnyServer>false</AllowManagementVPNProfileUpdatesFromAnyServer>
<AllowISEPostureProfileUpdatesFromAnyServer>false</AllowISEPostureProfileUpdatesFromAnyServer>
<AllowServiceProfileUpdatesFromAnyServer>false</AllowServiceProfileUpdatesFromAnyServer>
<AllowScriptUpdatesFromAnyServer>false</AllowScriptUpdatesFromAnyServer>
<AllowHelpUpdatesFromAnyServer>false</AllowHelpUpdatesFromAnyServer>
<AllowResourceUpdatesFromAnyServer>false</AllowResourceUpdatesFromAnyServer>
<AllowLocalizationUpdatesFromAnyServer>false</AllowLocalizationUpdatesFromAnyServer>
If the configuration setting values do not match the values shown above, change them.
Add authorized server names to the configuration file:
<ServerName> *.example.com </ServerName>
Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.
Source
Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt) for reporting this vulnerability.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
{
"document": {
"acknowledgments": [
{
"summary": "Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt) for reporting this vulnerability."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.\r\n\r\nThe vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.\r\n\r\nNote: To successfully exploit this vulnerability, an attacker would need all of the following:\r\n\r\nValid user credentials on the system on which the AnyConnect client is being run by the targeted user.\r\nTo be able to log in to that system while the targeted user either has an active AnyConnect session established or establishes a new AnyConnect session.\r\nTo be able to execute code on that system.\r\n\r\nCisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.\r\n\r\n",
"title": "Summary"
},
{
"category": "general",
"text": "This vulnerability affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.10.00093 for the following platforms if they have a vulnerable configuration:\r\n\r\nAnyConnect Secure Mobility Client for Windows\r\nAnyConnect Secure Mobility Client for MacOS\r\nAnyConnect Secure Mobility Client for Linux\r\n\r\nThe following subsections describe how to determine vulnerability for specific releases of Cisco AnyConnect Secure Mobility Client Software. The release of Cisco AnyConnect Secure Mobility Client Software that is running on the end machine determines which configurations the user must check.\r\n\r\nThe configuration settings discussed in the following subsections are in the AnyConnectLocalPolicy.xml file. This file is in the following locations:\r\n\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS: /opt/cisco/anyconnect/\r\nLinux: /opt/cisco/anyconnect/\r\n Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037\r\nThe vulnerability described in this advisory affects Cisco AnyConnect Secure Mobility Client Software releases 4.9.04053, 4.9.05042, and 4.9.06037 if RestrictScriptWebDeploy is set to the default value of false.\r\n\r\nTo verify the RestrictScriptWebDeploy configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line:\r\n\r\n\r\n\u003cRestrictScriptWebDeploy\u003efalse\u003c/RestrictScriptWebDeploy\u003e\r\n\r\nIf RestrictScriptWebDeploy is set to false, RestrictScriptWebDeploy is disabled and the device is affected by this vulnerability. If RestrictScriptWebDeploy is set to true, RestrictScriptWebDeploy is enabled and the device is not affected by this vulnerability.\r\n\r\nSee the Workarounds [\"#workarounds\"] section for additional optional but recommended settings.\r\n Cisco AnyConnect Secure Mobility Client Software Releases Earlier than Release 4.9.04053\r\nThe vulnerability described in this advisory affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.9.04053 if BypassDownloader is set to the default value of false.\r\n\r\nTo verify the BypassDownloader configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line:\r\n\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nIf BypassDownloader is set to false, BypassDownloader is disabled and the device is affected by this vulnerability. If BypassDownloader is set to true, BypassDownloader is enabled and the device is not affected by this vulnerability.\r\n\r\nNote: Setting BypassDownloader to true is not a recommended configuration. See the Workarounds [\"#workarounds\"] section for more details.",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nThis vulnerability does not affect Cisco AnyConnect Secure Mobility Client for Apple iOS or Android platforms or for the Universal Windows Platform.",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "Details about the vulnerability are as follows.\r\n\r\nThis vulnerability is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device.\r\nThis vulnerability is not remotely exploitable, as it requires local credentials on the end-user device for the attacker to take action on the local system.\r\nThis vulnerability is not a privilege elevation exploit. The scripts run at the user level by default. If the local AnyConnect user manually raises the privilege of the User Interface process, the scripts would run at elevated privileges.\r\nThis vulnerability\u2019s CVSS score is high because, for configurations where the vulnerability is exploitable, it allows one user access to another user\u2019s data and execution space.",
"title": "Details"
},
{
"category": "general",
"text": "Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062\"] via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.\r\n\r\nThe settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations [\"#Recommendations\"] section of this advisory.\r\n Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093\r\nReleases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv30103\"] with no additional configuration required. See the Recommendations [\"#Recommendations\"] section for additional optional but recommended settings.\r\n Upgrade instructions for systems where workarounds were previously applied\r\nThis section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html\"] or Configuration Guide [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/deploy-anyconnect.html?bookSearch=true\"].\r\n\r\nThe following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:\r\n\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS: /opt/cisco/anyconnect/\r\nLinux: /opt/cisco/anyconnect/\r\n\r\n AnyConnect Secure Mobility Client Software Release AnyConnectLocalPolicy.xml Settings Instructions\r\nEarlier than 4.9.04053\r\n\r\nPreviously deployed AnyConnectLocalPolicy.xml settings:\r\n\r\nBypassDownloader= true\r\n\r\nNew AnyConnectLocalPolicy.xml settings:\r\n\r\nBypassDownloader=false\r\n\r\n\r\nUpgrade to 4.10 using a predeploy method.\r\nRedistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.\r\nApply the new 4.10 settings shown in the Recommendations [\"#Recommendations\"] section.\r\n\r\n\r\n4.9.04053, 4.9.05042, 4.9.06037\r\n\r\nPreviously deployed AnyConnectLocalPolicy.xml settings:\r\n\r\nRestrictScriptWebDeploy=true\r\nRestrictHelpWebDeploy=true\r\nRestrictResourceWebDeploy=true\r\nRestrictLocalizationWebDeploy=true\r\nBypassDownloader=false\r\n\r\nNew AnyConnectLocalPolicy.xml settings:\r\n\r\nRestrictScriptWebDeploy=false\r\nRestrictHelpWebDeploy=false\r\nRestrictResourceWebDeploy=false\r\nRestrictLocalizationWebDeploy=false\r\nBypassDownloader=false\r\n\r\n\r\nUpgrade to 4.10 using either a predeploy or webdeploy method.\r\nRedistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.\r\nApply the new 4.10 settings shown in the Recommendations [\"#Recommendations\"] section.\r\n\r\n\r\n1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.\r\n Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037 For customers who have already applied the RestrictScriptWebDeploy workaround\r\nFor customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.\r\n\r\nTo restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations [\"#Recommendations\"] section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.\r\n For customers who cannot upgrade to Release 4.10.00093 or later\r\nFor customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment.\r\n\r\nThere are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html#Cisco_Reference.dita_79c2fd57-db64-4449-9072-26e62e46630b\"] or Cisco bug ID CSCvw48062 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062\"]. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.\r\n\r\nRestrictScriptWebDeploy\r\nRestrictHelpWebDeploy\r\nRestrictResourceWebDeploy\r\nRestrictLocalizationWebDeploy\r\n\r\nThe following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.\r\n\r\nFind the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS:/opt/cisco/anyconnect/\r\nLinux:/opt/cisco/anyconnect/\r\n\r\nOpen the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:\r\n\u003cRestrictScriptWebDeploy\u003efalse\u003c/RestrictScriptWebDeploy\u003e\r\n\u003cRestrictHelpWebDeploy\u003efalse\u003c/RestrictHelpWebDeploy\u003e \u003cRestrictResourceWebDeploy\u003efalse\u003c/RestrictResourceWebDeploy\u003e \u003cRestrictLocalizationWebDeploy\u003efalse\u003c/RestrictLocalizationWebDeploy\u003e\r\n\r\nChange that setting to true, as shown in the following example:\r\n\u003cRestrictScriptWebDeploy\u003etrue\u003c/RestrictScriptWebDeploy\u003e\r\n\u003cRestrictHelpWebDeploy\u003etrue\u003c/RestrictHelpWebDeploy\u003e \u003cRestrictResourceWebDeploy\u003etrue\u003c/RestrictResourceWebDeploy\u003e \u003cRestrictLocalizationWebDeploy\u003etrue\u003c/RestrictLocalizationWebDeploy\u003e\r\n\r\nVerify that the BypassDownloader setting is correct by looking for the following line:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nIf the BypassDownloader setting is true, change it to false, as shown in the following example:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nSave the file to the original location. The network paths are noted above.\r\nRestart the VPN Agent service or reboot the client machine.\r\n\r\n Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053 For customers who have already applied the BypassDownloader mitigation\r\nFor customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations [\"#Recommendations\"] section.\r\n For customers who cannot upgrade to Release 4.10.00093 or later\r\nFor customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.\r\n\r\nWarning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.\r\n\r\nNote: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:\r\n\r\nAll future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.\r\nAnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.\r\n\r\nThe procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.\r\n\r\nFind the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS:/opt/cisco/anyconnect/\r\nLinux: /opt/cisco/anyconnect/\r\n\r\nOpen the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nChange that setting to true, as shown in the following example:\r\n\r\n\u003cBypassDownloader\u003etrue\u003c/BypassDownloader\u003e\r\n\r\nSave the file to the original location. The network paths are noted above.\r\nRestart the VPN Agent service or reboot the client machine.",
"title": "Workarounds"
},
{
"category": "general",
"text": "Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:\r\nhttps://www.cisco.com/c/en/us/products/end-user-license-agreement.html [\"https://www.cisco.com/c/en/us/products/end-user-license-agreement.html\"]\r\n\r\nAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.\r\n\r\nWhen considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n Customers Without Service Contracts\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]\r\n\r\nCustomers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n Fixed Releases\r\nCisco fixed this vulnerability in Cisco AnyConnect Secure Mobility Client Software releases 4.10.00093 and later.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "Cisco AnyConnect Secure Mobility Client Software 4.10.00093 introduced new settings. It is now possible to individually allow/disallow scripts, help, resources, or localization updates in the local policy. These new settings are strongly recommended for increased protection. The full set of restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the AnyConnect Local Policy [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/anyconnect-profile-editor.html?bookSearch=true#ID-1430-000002bf%20%20\"] section of the administrator guide.\r\n Configuration Setting Name Default Value Recommended Configuration Setting Value StrictCertificateTrust False True RestrictServerCertStore False True AllowSoftwareUpdatesFromAnyServer True False AllowComplianceUpdatesModuleFromAnyServer True False AllowManagementVPNProfileUpdatesFromAnyServer True False AllowISEPostureProfileUpdatesFromAnyServer True False AllowServiceProfileUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowHelpUpdatesFromAnyServer True False AllowResourceUpdatesFromAnyServer True False AllowLocalizationUpdatesFromAnyServer True False ServerName Blank List of authorized servers.\r\nCan use wildcards, for example *.cisco.com\r\n\r\nBypassDownloader is not a new setting, but ensure that it is set to false.\r\n Configuration Setting Name Default Value Recommended Configuration Setting Value BypassDownloader False False\r\n\r\nTo configure the recommended settings on Release 4.10.00093 and later, edit the AnyConnectLocalPolicy.xml file to change configuration values to the recommended values listed in the preceding table. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines.\r\n\r\nThe following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.\r\n\r\nFind the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS:/opt/cisco/anyconnect/\r\nLinux:/opt/cisco/anyconnect/\r\n\r\nOpen the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\u003cStrictCertificateTrust\u003etrue\u003c/StrictCertificateTrust\u003e\r\n\u003cRestrictServerCertStore\u003etrue\u003c/RestrictServerCertStore\u003e\r\n\u003cAllowSoftwareUpdatesFromAnyServer\u003efalse\u003c/AllowSoftwareUpdatesFromAnyServer\u003e\r\n\u003cAllowComplianceUpdatesModuleFromAnyServer\u003efalse\u003c/AllowComplianceUpdatesModuleFromAnyServer\u003e\r\n\u003cAllowManagementVPNProfileUpdatesFromAnyServer\u003efalse\u003c/AllowManagementVPNProfileUpdatesFromAnyServer\u003e\r\n\u003cAllowISEPostureProfileUpdatesFromAnyServer\u003efalse\u003c/AllowISEPostureProfileUpdatesFromAnyServer\u003e\r\n\u003cAllowServiceProfileUpdatesFromAnyServer\u003efalse\u003c/AllowServiceProfileUpdatesFromAnyServer\u003e\r\n\u003cAllowScriptUpdatesFromAnyServer\u003efalse\u003c/AllowScriptUpdatesFromAnyServer\u003e\r\n\u003cAllowHelpUpdatesFromAnyServer\u003efalse\u003c/AllowHelpUpdatesFromAnyServer\u003e\r\n\u003cAllowResourceUpdatesFromAnyServer\u003efalse\u003c/AllowResourceUpdatesFromAnyServer\u003e\r\n\u003cAllowLocalizationUpdatesFromAnyServer\u003efalse\u003c/AllowLocalizationUpdatesFromAnyServer\u003e\r\n\r\nIf the configuration setting values do not match the values shown above, change them.\r\nAdd authorized server names to the configuration file:\r\n\u003cServerName\u003e *.example.com \u003c/ServerName\u003e\r\n\r\nSave the file to the original location. The network paths are noted above.\r\nRestart the VPN Agent service or reboot the client machine.",
"title": "Recommendations"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.\r\n\r\nThe Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt) for reporting this vulnerability.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@cisco.com",
"issuing_authority": "Cisco PSIRT",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "CSCvw48062",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062"
},
{
"category": "external",
"summary": "CSCvv30103",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv30103"
},
{
"category": "external",
"summary": "Release Notes",
"url": "https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html"
},
{
"category": "external",
"summary": "Configuration Guide",
"url": "https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/deploy-anyconnect.html?bookSearch=true"
},
{
"category": "external",
"summary": "Release Notes",
"url": "https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html#Cisco_Reference.dita_79c2fd57-db64-4449-9072-26e62e46630b"
},
{
"category": "external",
"summary": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html",
"url": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"
},
{
"category": "external",
"summary": "considering software upgrades",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Security Advisories page",
"url": "https://www.cisco.com/go/psirt"
},
{
"category": "external",
"summary": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html",
"url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
},
{
"category": "external",
"summary": "AnyConnect Local Policy",
"url": "https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/anyconnect-profile-editor.html?bookSearch=true#ID-1430-000002bf%20%20"
}
],
"title": "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability",
"tracking": {
"current_release_date": "2021-05-21T18:06:37+00:00",
"generator": {
"date": "2024-05-10T22:56:13+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-anyconnect-ipc-KfQO9QhK",
"initial_release_date": "2020-11-04T16:00:00+00:00",
"revision_history": [
{
"date": "2020-11-04T15:21:41+00:00",
"number": "1.0.0",
"summary": "Initial public release."
},
{
"date": "2020-11-05T22:27:26+00:00",
"number": "2.0.0",
"summary": "Clarified the requirements for a successful attack. Corrected information about vulnerable configurations and mitigations."
},
{
"date": "2020-11-09T21:50:11+00:00",
"number": "2.1.0",
"summary": "Clarified mitigation information."
},
{
"date": "2020-11-10T17:15:11+00:00",
"number": "2.2.0",
"summary": "Added additional details on the vulnerability. Clarified the mitigation."
},
{
"date": "2020-12-04T15:21:28+00:00",
"number": "3.0.0",
"summary": "Added information about the enhancement CSCvw48062."
},
{
"date": "2021-05-12T14:16:53+00:00",
"number": "4.0.0",
"summary": "Added fixed release information. Added Universal Windows Platform information."
},
{
"date": "2021-05-21T18:06:37+00:00",
"number": "4.1.0",
"summary": "Updated the BypassDownloader tagging examples to include the closing \"/\" in three instances."
}
],
"status": "final",
"version": "4.1.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_family",
"name": "Cisco Secure Client",
"product": {
"name": "Cisco Secure Client ",
"product_id": "CSAFPID-109810"
}
}
],
"category": "vendor",
"name": "Cisco"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-3556",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCvv30103"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-109810"
]
},
"release_date": "2020-11-04T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-109810"
],
"url": "https://software.cisco.com"
},
{
"category": "workaround",
"details": "Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062\"] via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.\r\n\r\nThe settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations [\"#Recommendations\"] section of this advisory.\r\n Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093\r\nReleases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv30103\"] with no additional configuration required. See the Recommendations [\"#Recommendations\"] section for additional optional but recommended settings.\r\n Upgrade instructions for systems where workarounds were previously applied\r\nThis section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html\"] or Configuration Guide [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/deploy-anyconnect.html?bookSearch=true\"].\r\n\r\nThe following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:\r\n\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS: /opt/cisco/anyconnect/\r\nLinux: /opt/cisco/anyconnect/\r\n\r\n AnyConnect Secure Mobility Client Software Release AnyConnectLocalPolicy.xml Settings Instructions\r\nEarlier than 4.9.04053\r\n\r\nPreviously deployed AnyConnectLocalPolicy.xml settings:\r\n\r\nBypassDownloader= true\r\n\r\nNew AnyConnectLocalPolicy.xml settings:\r\n\r\nBypassDownloader=false\r\n\r\n\r\nUpgrade to 4.10 using a predeploy method.\r\nRedistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.\r\nApply the new 4.10 settings shown in the Recommendations [\"#Recommendations\"] section.\r\n\r\n\r\n4.9.04053, 4.9.05042, 4.9.06037\r\n\r\nPreviously deployed AnyConnectLocalPolicy.xml settings:\r\n\r\nRestrictScriptWebDeploy=true\r\nRestrictHelpWebDeploy=true\r\nRestrictResourceWebDeploy=true\r\nRestrictLocalizationWebDeploy=true\r\nBypassDownloader=false\r\n\r\nNew AnyConnectLocalPolicy.xml settings:\r\n\r\nRestrictScriptWebDeploy=false\r\nRestrictHelpWebDeploy=false\r\nRestrictResourceWebDeploy=false\r\nRestrictLocalizationWebDeploy=false\r\nBypassDownloader=false\r\n\r\n\r\nUpgrade to 4.10 using either a predeploy or webdeploy method.\r\nRedistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.\r\nApply the new 4.10 settings shown in the Recommendations [\"#Recommendations\"] section.\r\n\r\n\r\n1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.\r\n Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037 For customers who have already applied the RestrictScriptWebDeploy workaround\r\nFor customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.\r\n\r\nTo restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations [\"#Recommendations\"] section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.\r\n For customers who cannot upgrade to Release 4.10.00093 or later\r\nFor customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment.\r\n\r\nThere are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html#Cisco_Reference.dita_79c2fd57-db64-4449-9072-26e62e46630b\"] or Cisco bug ID CSCvw48062 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062\"]. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.\r\n\r\nRestrictScriptWebDeploy\r\nRestrictHelpWebDeploy\r\nRestrictResourceWebDeploy\r\nRestrictLocalizationWebDeploy\r\n\r\nThe following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.\r\n\r\nFind the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS:/opt/cisco/anyconnect/\r\nLinux:/opt/cisco/anyconnect/\r\n\r\nOpen the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:\r\n\u003cRestrictScriptWebDeploy\u003efalse\u003c/RestrictScriptWebDeploy\u003e\r\n\u003cRestrictHelpWebDeploy\u003efalse\u003c/RestrictHelpWebDeploy\u003e \u003cRestrictResourceWebDeploy\u003efalse\u003c/RestrictResourceWebDeploy\u003e \u003cRestrictLocalizationWebDeploy\u003efalse\u003c/RestrictLocalizationWebDeploy\u003e\r\n\r\nChange that setting to true, as shown in the following example:\r\n\u003cRestrictScriptWebDeploy\u003etrue\u003c/RestrictScriptWebDeploy\u003e\r\n\u003cRestrictHelpWebDeploy\u003etrue\u003c/RestrictHelpWebDeploy\u003e \u003cRestrictResourceWebDeploy\u003etrue\u003c/RestrictResourceWebDeploy\u003e \u003cRestrictLocalizationWebDeploy\u003etrue\u003c/RestrictLocalizationWebDeploy\u003e\r\n\r\nVerify that the BypassDownloader setting is correct by looking for the following line:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nIf the BypassDownloader setting is true, change it to false, as shown in the following example:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nSave the file to the original location. The network paths are noted above.\r\nRestart the VPN Agent service or reboot the client machine.\r\n\r\n Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053 For customers who have already applied the BypassDownloader mitigation\r\nFor customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations [\"#Recommendations\"] section.\r\n For customers who cannot upgrade to Release 4.10.00093 or later\r\nFor customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.\r\n\r\nWarning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.\r\n\r\nNote: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:\r\n\r\nAll future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.\r\nAnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.\r\n\r\nThe procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.\r\n\r\nFind the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS:/opt/cisco/anyconnect/\r\nLinux: /opt/cisco/anyconnect/\r\n\r\nOpen the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nChange that setting to true, as shown in the following example:\r\n\r\n\u003cBypassDownloader\u003etrue\u003c/BypassDownloader\u003e\r\n\r\nSave the file to the original location. The network paths are noted above.\r\nRestart the VPN Agent service or reboot the client machine.",
"product_ids": [
"CSAFPID-109810"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-109810"
]
}
],
"title": "Cisco AnyConnect Secure Mobility Client Arbitrary Script Execution Vulnerability"
}
]
}
cisco-sa-anyconnect-ipc-kfqo9qhk
Vulnerability from csaf_cisco
Published
2020-11-04 16:00
Modified
2021-05-21 18:06
Summary
Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability
Notes
Summary
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.
The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.
Note: To successfully exploit this vulnerability, an attacker would need all of the following:
Valid user credentials on the system on which the AnyConnect client is being run by the targeted user.
To be able to log in to that system while the targeted user either has an active AnyConnect session established or establishes a new AnyConnect session.
To be able to execute code on that system.
Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.
Vulnerable Products
This vulnerability affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.10.00093 for the following platforms if they have a vulnerable configuration:
AnyConnect Secure Mobility Client for Windows
AnyConnect Secure Mobility Client for MacOS
AnyConnect Secure Mobility Client for Linux
The following subsections describe how to determine vulnerability for specific releases of Cisco AnyConnect Secure Mobility Client Software. The release of Cisco AnyConnect Secure Mobility Client Software that is running on the end machine determines which configurations the user must check.
The configuration settings discussed in the following subsections are in the AnyConnectLocalPolicy.xml file. This file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037
The vulnerability described in this advisory affects Cisco AnyConnect Secure Mobility Client Software releases 4.9.04053, 4.9.05042, and 4.9.06037 if RestrictScriptWebDeploy is set to the default value of false.
To verify the RestrictScriptWebDeploy configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line:
<RestrictScriptWebDeploy>false</RestrictScriptWebDeploy>
If RestrictScriptWebDeploy is set to false, RestrictScriptWebDeploy is disabled and the device is affected by this vulnerability. If RestrictScriptWebDeploy is set to true, RestrictScriptWebDeploy is enabled and the device is not affected by this vulnerability.
See the Workarounds ["#workarounds"] section for additional optional but recommended settings.
Cisco AnyConnect Secure Mobility Client Software Releases Earlier than Release 4.9.04053
The vulnerability described in this advisory affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.9.04053 if BypassDownloader is set to the default value of false.
To verify the BypassDownloader configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line:
<BypassDownloader>false</BypassDownloader>
If BypassDownloader is set to false, BypassDownloader is disabled and the device is affected by this vulnerability. If BypassDownloader is set to true, BypassDownloader is enabled and the device is not affected by this vulnerability.
Note: Setting BypassDownloader to true is not a recommended configuration. See the Workarounds ["#workarounds"] section for more details.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.
This vulnerability does not affect Cisco AnyConnect Secure Mobility Client for Apple iOS or Android platforms or for the Universal Windows Platform.
Details
Details about the vulnerability are as follows.
This vulnerability is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device.
This vulnerability is not remotely exploitable, as it requires local credentials on the end-user device for the attacker to take action on the local system.
This vulnerability is not a privilege elevation exploit. The scripts run at the user level by default. If the local AnyConnect user manually raises the privilege of the User Interface process, the scripts would run at elevated privileges.
This vulnerability’s CVSS score is high because, for configurations where the vulnerability is exploitable, it allows one user access to another user’s data and execution space.
Workarounds
Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062"] via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.
The settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations ["#Recommendations"] section of this advisory.
Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093
Releases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv30103"] with no additional configuration required. See the Recommendations ["#Recommendations"] section for additional optional but recommended settings.
Upgrade instructions for systems where workarounds were previously applied
This section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes ["https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html"] or Configuration Guide ["https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/deploy-anyconnect.html?bookSearch=true"].
The following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
AnyConnect Secure Mobility Client Software Release AnyConnectLocalPolicy.xml Settings Instructions
Earlier than 4.9.04053
Previously deployed AnyConnectLocalPolicy.xml settings:
BypassDownloader= true
New AnyConnectLocalPolicy.xml settings:
BypassDownloader=false
Upgrade to 4.10 using a predeploy method.
Redistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations ["#Recommendations"] section.
4.9.04053, 4.9.05042, 4.9.06037
Previously deployed AnyConnectLocalPolicy.xml settings:
RestrictScriptWebDeploy=true
RestrictHelpWebDeploy=true
RestrictResourceWebDeploy=true
RestrictLocalizationWebDeploy=true
BypassDownloader=false
New AnyConnectLocalPolicy.xml settings:
RestrictScriptWebDeploy=false
RestrictHelpWebDeploy=false
RestrictResourceWebDeploy=false
RestrictLocalizationWebDeploy=false
BypassDownloader=false
Upgrade to 4.10 using either a predeploy or webdeploy method.
Redistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations ["#Recommendations"] section.
1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.
Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037 For customers who have already applied the RestrictScriptWebDeploy workaround
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.
To restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations ["#Recommendations"] section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment.
There are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes ["https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html#Cisco_Reference.dita_79c2fd57-db64-4449-9072-26e62e46630b"] or Cisco bug ID CSCvw48062 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062"]. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.
RestrictScriptWebDeploy
RestrictHelpWebDeploy
RestrictResourceWebDeploy
RestrictLocalizationWebDeploy
The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.
Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
macOS:/opt/cisco/anyconnect/
Linux:/opt/cisco/anyconnect/
Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:
<RestrictScriptWebDeploy>false</RestrictScriptWebDeploy>
<RestrictHelpWebDeploy>false</RestrictHelpWebDeploy> <RestrictResourceWebDeploy>false</RestrictResourceWebDeploy> <RestrictLocalizationWebDeploy>false</RestrictLocalizationWebDeploy>
Change that setting to true, as shown in the following example:
<RestrictScriptWebDeploy>true</RestrictScriptWebDeploy>
<RestrictHelpWebDeploy>true</RestrictHelpWebDeploy> <RestrictResourceWebDeploy>true</RestrictResourceWebDeploy> <RestrictLocalizationWebDeploy>true</RestrictLocalizationWebDeploy>
Verify that the BypassDownloader setting is correct by looking for the following line:
<BypassDownloader>false</BypassDownloader>
If the BypassDownloader setting is true, change it to false, as shown in the following example:
<BypassDownloader>false</BypassDownloader>
Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.
Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053 For customers who have already applied the BypassDownloader mitigation
For customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations ["#Recommendations"] section.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.
Warning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.
Note: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:
All future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.
AnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.
The procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.
Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
macOS:/opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:
<BypassDownloader>false</BypassDownloader>
Change that setting to true, as shown in the following example:
<BypassDownloader>true</BypassDownloader>
Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.
Fixed Software
Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html ["https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"]
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"]
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
Cisco fixed this vulnerability in Cisco AnyConnect Secure Mobility Client Software releases 4.10.00093 and later.
Recommendations
Cisco AnyConnect Secure Mobility Client Software 4.10.00093 introduced new settings. It is now possible to individually allow/disallow scripts, help, resources, or localization updates in the local policy. These new settings are strongly recommended for increased protection. The full set of restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the AnyConnect Local Policy ["https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/anyconnect-profile-editor.html?bookSearch=true#ID-1430-000002bf%20%20"] section of the administrator guide.
Configuration Setting Name Default Value Recommended Configuration Setting Value StrictCertificateTrust False True RestrictServerCertStore False True AllowSoftwareUpdatesFromAnyServer True False AllowComplianceUpdatesModuleFromAnyServer True False AllowManagementVPNProfileUpdatesFromAnyServer True False AllowISEPostureProfileUpdatesFromAnyServer True False AllowServiceProfileUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowHelpUpdatesFromAnyServer True False AllowResourceUpdatesFromAnyServer True False AllowLocalizationUpdatesFromAnyServer True False ServerName Blank List of authorized servers.
Can use wildcards, for example *.cisco.com
BypassDownloader is not a new setting, but ensure that it is set to false.
Configuration Setting Name Default Value Recommended Configuration Setting Value BypassDownloader False False
To configure the recommended settings on Release 4.10.00093 and later, edit the AnyConnectLocalPolicy.xml file to change configuration values to the recommended values listed in the preceding table. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines.
The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.
Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
macOS:/opt/cisco/anyconnect/
Linux:/opt/cisco/anyconnect/
Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:
<BypassDownloader>false</BypassDownloader>
<StrictCertificateTrust>true</StrictCertificateTrust>
<RestrictServerCertStore>true</RestrictServerCertStore>
<AllowSoftwareUpdatesFromAnyServer>false</AllowSoftwareUpdatesFromAnyServer>
<AllowComplianceUpdatesModuleFromAnyServer>false</AllowComplianceUpdatesModuleFromAnyServer>
<AllowManagementVPNProfileUpdatesFromAnyServer>false</AllowManagementVPNProfileUpdatesFromAnyServer>
<AllowISEPostureProfileUpdatesFromAnyServer>false</AllowISEPostureProfileUpdatesFromAnyServer>
<AllowServiceProfileUpdatesFromAnyServer>false</AllowServiceProfileUpdatesFromAnyServer>
<AllowScriptUpdatesFromAnyServer>false</AllowScriptUpdatesFromAnyServer>
<AllowHelpUpdatesFromAnyServer>false</AllowHelpUpdatesFromAnyServer>
<AllowResourceUpdatesFromAnyServer>false</AllowResourceUpdatesFromAnyServer>
<AllowLocalizationUpdatesFromAnyServer>false</AllowLocalizationUpdatesFromAnyServer>
If the configuration setting values do not match the values shown above, change them.
Add authorized server names to the configuration file:
<ServerName> *.example.com </ServerName>
Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.
Source
Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt) for reporting this vulnerability.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
{
"document": {
"acknowledgments": [
{
"summary": "Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt) for reporting this vulnerability."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.\r\n\r\nThe vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.\r\n\r\nNote: To successfully exploit this vulnerability, an attacker would need all of the following:\r\n\r\nValid user credentials on the system on which the AnyConnect client is being run by the targeted user.\r\nTo be able to log in to that system while the targeted user either has an active AnyConnect session established or establishes a new AnyConnect session.\r\nTo be able to execute code on that system.\r\n\r\nCisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.\r\n\r\n",
"title": "Summary"
},
{
"category": "general",
"text": "This vulnerability affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.10.00093 for the following platforms if they have a vulnerable configuration:\r\n\r\nAnyConnect Secure Mobility Client for Windows\r\nAnyConnect Secure Mobility Client for MacOS\r\nAnyConnect Secure Mobility Client for Linux\r\n\r\nThe following subsections describe how to determine vulnerability for specific releases of Cisco AnyConnect Secure Mobility Client Software. The release of Cisco AnyConnect Secure Mobility Client Software that is running on the end machine determines which configurations the user must check.\r\n\r\nThe configuration settings discussed in the following subsections are in the AnyConnectLocalPolicy.xml file. This file is in the following locations:\r\n\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS: /opt/cisco/anyconnect/\r\nLinux: /opt/cisco/anyconnect/\r\n Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037\r\nThe vulnerability described in this advisory affects Cisco AnyConnect Secure Mobility Client Software releases 4.9.04053, 4.9.05042, and 4.9.06037 if RestrictScriptWebDeploy is set to the default value of false.\r\n\r\nTo verify the RestrictScriptWebDeploy configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line:\r\n\r\n\r\n\u003cRestrictScriptWebDeploy\u003efalse\u003c/RestrictScriptWebDeploy\u003e\r\n\r\nIf RestrictScriptWebDeploy is set to false, RestrictScriptWebDeploy is disabled and the device is affected by this vulnerability. If RestrictScriptWebDeploy is set to true, RestrictScriptWebDeploy is enabled and the device is not affected by this vulnerability.\r\n\r\nSee the Workarounds [\"#workarounds\"] section for additional optional but recommended settings.\r\n Cisco AnyConnect Secure Mobility Client Software Releases Earlier than Release 4.9.04053\r\nThe vulnerability described in this advisory affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.9.04053 if BypassDownloader is set to the default value of false.\r\n\r\nTo verify the BypassDownloader configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line:\r\n\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nIf BypassDownloader is set to false, BypassDownloader is disabled and the device is affected by this vulnerability. If BypassDownloader is set to true, BypassDownloader is enabled and the device is not affected by this vulnerability.\r\n\r\nNote: Setting BypassDownloader to true is not a recommended configuration. See the Workarounds [\"#workarounds\"] section for more details.",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nThis vulnerability does not affect Cisco AnyConnect Secure Mobility Client for Apple iOS or Android platforms or for the Universal Windows Platform.",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "Details about the vulnerability are as follows.\r\n\r\nThis vulnerability is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device.\r\nThis vulnerability is not remotely exploitable, as it requires local credentials on the end-user device for the attacker to take action on the local system.\r\nThis vulnerability is not a privilege elevation exploit. The scripts run at the user level by default. If the local AnyConnect user manually raises the privilege of the User Interface process, the scripts would run at elevated privileges.\r\nThis vulnerability\u2019s CVSS score is high because, for configurations where the vulnerability is exploitable, it allows one user access to another user\u2019s data and execution space.",
"title": "Details"
},
{
"category": "general",
"text": "Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062\"] via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.\r\n\r\nThe settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations [\"#Recommendations\"] section of this advisory.\r\n Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093\r\nReleases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv30103\"] with no additional configuration required. See the Recommendations [\"#Recommendations\"] section for additional optional but recommended settings.\r\n Upgrade instructions for systems where workarounds were previously applied\r\nThis section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html\"] or Configuration Guide [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/deploy-anyconnect.html?bookSearch=true\"].\r\n\r\nThe following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:\r\n\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS: /opt/cisco/anyconnect/\r\nLinux: /opt/cisco/anyconnect/\r\n\r\n AnyConnect Secure Mobility Client Software Release AnyConnectLocalPolicy.xml Settings Instructions\r\nEarlier than 4.9.04053\r\n\r\nPreviously deployed AnyConnectLocalPolicy.xml settings:\r\n\r\nBypassDownloader= true\r\n\r\nNew AnyConnectLocalPolicy.xml settings:\r\n\r\nBypassDownloader=false\r\n\r\n\r\nUpgrade to 4.10 using a predeploy method.\r\nRedistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.\r\nApply the new 4.10 settings shown in the Recommendations [\"#Recommendations\"] section.\r\n\r\n\r\n4.9.04053, 4.9.05042, 4.9.06037\r\n\r\nPreviously deployed AnyConnectLocalPolicy.xml settings:\r\n\r\nRestrictScriptWebDeploy=true\r\nRestrictHelpWebDeploy=true\r\nRestrictResourceWebDeploy=true\r\nRestrictLocalizationWebDeploy=true\r\nBypassDownloader=false\r\n\r\nNew AnyConnectLocalPolicy.xml settings:\r\n\r\nRestrictScriptWebDeploy=false\r\nRestrictHelpWebDeploy=false\r\nRestrictResourceWebDeploy=false\r\nRestrictLocalizationWebDeploy=false\r\nBypassDownloader=false\r\n\r\n\r\nUpgrade to 4.10 using either a predeploy or webdeploy method.\r\nRedistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.\r\nApply the new 4.10 settings shown in the Recommendations [\"#Recommendations\"] section.\r\n\r\n\r\n1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.\r\n Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037 For customers who have already applied the RestrictScriptWebDeploy workaround\r\nFor customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.\r\n\r\nTo restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations [\"#Recommendations\"] section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.\r\n For customers who cannot upgrade to Release 4.10.00093 or later\r\nFor customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment.\r\n\r\nThere are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html#Cisco_Reference.dita_79c2fd57-db64-4449-9072-26e62e46630b\"] or Cisco bug ID CSCvw48062 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062\"]. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.\r\n\r\nRestrictScriptWebDeploy\r\nRestrictHelpWebDeploy\r\nRestrictResourceWebDeploy\r\nRestrictLocalizationWebDeploy\r\n\r\nThe following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.\r\n\r\nFind the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS:/opt/cisco/anyconnect/\r\nLinux:/opt/cisco/anyconnect/\r\n\r\nOpen the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:\r\n\u003cRestrictScriptWebDeploy\u003efalse\u003c/RestrictScriptWebDeploy\u003e\r\n\u003cRestrictHelpWebDeploy\u003efalse\u003c/RestrictHelpWebDeploy\u003e \u003cRestrictResourceWebDeploy\u003efalse\u003c/RestrictResourceWebDeploy\u003e \u003cRestrictLocalizationWebDeploy\u003efalse\u003c/RestrictLocalizationWebDeploy\u003e\r\n\r\nChange that setting to true, as shown in the following example:\r\n\u003cRestrictScriptWebDeploy\u003etrue\u003c/RestrictScriptWebDeploy\u003e\r\n\u003cRestrictHelpWebDeploy\u003etrue\u003c/RestrictHelpWebDeploy\u003e \u003cRestrictResourceWebDeploy\u003etrue\u003c/RestrictResourceWebDeploy\u003e \u003cRestrictLocalizationWebDeploy\u003etrue\u003c/RestrictLocalizationWebDeploy\u003e\r\n\r\nVerify that the BypassDownloader setting is correct by looking for the following line:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nIf the BypassDownloader setting is true, change it to false, as shown in the following example:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nSave the file to the original location. The network paths are noted above.\r\nRestart the VPN Agent service or reboot the client machine.\r\n\r\n Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053 For customers who have already applied the BypassDownloader mitigation\r\nFor customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations [\"#Recommendations\"] section.\r\n For customers who cannot upgrade to Release 4.10.00093 or later\r\nFor customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.\r\n\r\nWarning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.\r\n\r\nNote: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:\r\n\r\nAll future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.\r\nAnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.\r\n\r\nThe procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.\r\n\r\nFind the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS:/opt/cisco/anyconnect/\r\nLinux: /opt/cisco/anyconnect/\r\n\r\nOpen the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nChange that setting to true, as shown in the following example:\r\n\r\n\u003cBypassDownloader\u003etrue\u003c/BypassDownloader\u003e\r\n\r\nSave the file to the original location. The network paths are noted above.\r\nRestart the VPN Agent service or reboot the client machine.",
"title": "Workarounds"
},
{
"category": "general",
"text": "Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:\r\nhttps://www.cisco.com/c/en/us/products/end-user-license-agreement.html [\"https://www.cisco.com/c/en/us/products/end-user-license-agreement.html\"]\r\n\r\nAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.\r\n\r\nWhen considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n Customers Without Service Contracts\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]\r\n\r\nCustomers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n Fixed Releases\r\nCisco fixed this vulnerability in Cisco AnyConnect Secure Mobility Client Software releases 4.10.00093 and later.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "Cisco AnyConnect Secure Mobility Client Software 4.10.00093 introduced new settings. It is now possible to individually allow/disallow scripts, help, resources, or localization updates in the local policy. These new settings are strongly recommended for increased protection. The full set of restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the AnyConnect Local Policy [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/anyconnect-profile-editor.html?bookSearch=true#ID-1430-000002bf%20%20\"] section of the administrator guide.\r\n Configuration Setting Name Default Value Recommended Configuration Setting Value StrictCertificateTrust False True RestrictServerCertStore False True AllowSoftwareUpdatesFromAnyServer True False AllowComplianceUpdatesModuleFromAnyServer True False AllowManagementVPNProfileUpdatesFromAnyServer True False AllowISEPostureProfileUpdatesFromAnyServer True False AllowServiceProfileUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowHelpUpdatesFromAnyServer True False AllowResourceUpdatesFromAnyServer True False AllowLocalizationUpdatesFromAnyServer True False ServerName Blank List of authorized servers.\r\nCan use wildcards, for example *.cisco.com\r\n\r\nBypassDownloader is not a new setting, but ensure that it is set to false.\r\n Configuration Setting Name Default Value Recommended Configuration Setting Value BypassDownloader False False\r\n\r\nTo configure the recommended settings on Release 4.10.00093 and later, edit the AnyConnectLocalPolicy.xml file to change configuration values to the recommended values listed in the preceding table. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines.\r\n\r\nThe following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.\r\n\r\nFind the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS:/opt/cisco/anyconnect/\r\nLinux:/opt/cisco/anyconnect/\r\n\r\nOpen the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\u003cStrictCertificateTrust\u003etrue\u003c/StrictCertificateTrust\u003e\r\n\u003cRestrictServerCertStore\u003etrue\u003c/RestrictServerCertStore\u003e\r\n\u003cAllowSoftwareUpdatesFromAnyServer\u003efalse\u003c/AllowSoftwareUpdatesFromAnyServer\u003e\r\n\u003cAllowComplianceUpdatesModuleFromAnyServer\u003efalse\u003c/AllowComplianceUpdatesModuleFromAnyServer\u003e\r\n\u003cAllowManagementVPNProfileUpdatesFromAnyServer\u003efalse\u003c/AllowManagementVPNProfileUpdatesFromAnyServer\u003e\r\n\u003cAllowISEPostureProfileUpdatesFromAnyServer\u003efalse\u003c/AllowISEPostureProfileUpdatesFromAnyServer\u003e\r\n\u003cAllowServiceProfileUpdatesFromAnyServer\u003efalse\u003c/AllowServiceProfileUpdatesFromAnyServer\u003e\r\n\u003cAllowScriptUpdatesFromAnyServer\u003efalse\u003c/AllowScriptUpdatesFromAnyServer\u003e\r\n\u003cAllowHelpUpdatesFromAnyServer\u003efalse\u003c/AllowHelpUpdatesFromAnyServer\u003e\r\n\u003cAllowResourceUpdatesFromAnyServer\u003efalse\u003c/AllowResourceUpdatesFromAnyServer\u003e\r\n\u003cAllowLocalizationUpdatesFromAnyServer\u003efalse\u003c/AllowLocalizationUpdatesFromAnyServer\u003e\r\n\r\nIf the configuration setting values do not match the values shown above, change them.\r\nAdd authorized server names to the configuration file:\r\n\u003cServerName\u003e *.example.com \u003c/ServerName\u003e\r\n\r\nSave the file to the original location. The network paths are noted above.\r\nRestart the VPN Agent service or reboot the client machine.",
"title": "Recommendations"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.\r\n\r\nThe Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt) for reporting this vulnerability.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@cisco.com",
"issuing_authority": "Cisco PSIRT",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "CSCvw48062",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062"
},
{
"category": "external",
"summary": "CSCvv30103",
"url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv30103"
},
{
"category": "external",
"summary": "Release Notes",
"url": "https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html"
},
{
"category": "external",
"summary": "Configuration Guide",
"url": "https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/deploy-anyconnect.html?bookSearch=true"
},
{
"category": "external",
"summary": "Release Notes",
"url": "https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html#Cisco_Reference.dita_79c2fd57-db64-4449-9072-26e62e46630b"
},
{
"category": "external",
"summary": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html",
"url": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"
},
{
"category": "external",
"summary": "considering software upgrades",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Security Advisories page",
"url": "https://www.cisco.com/go/psirt"
},
{
"category": "external",
"summary": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html",
"url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
},
{
"category": "external",
"summary": "AnyConnect Local Policy",
"url": "https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/anyconnect-profile-editor.html?bookSearch=true#ID-1430-000002bf%20%20"
}
],
"title": "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability",
"tracking": {
"current_release_date": "2021-05-21T18:06:37+00:00",
"generator": {
"date": "2024-05-10T22:56:13+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-anyconnect-ipc-KfQO9QhK",
"initial_release_date": "2020-11-04T16:00:00+00:00",
"revision_history": [
{
"date": "2020-11-04T15:21:41+00:00",
"number": "1.0.0",
"summary": "Initial public release."
},
{
"date": "2020-11-05T22:27:26+00:00",
"number": "2.0.0",
"summary": "Clarified the requirements for a successful attack. Corrected information about vulnerable configurations and mitigations."
},
{
"date": "2020-11-09T21:50:11+00:00",
"number": "2.1.0",
"summary": "Clarified mitigation information."
},
{
"date": "2020-11-10T17:15:11+00:00",
"number": "2.2.0",
"summary": "Added additional details on the vulnerability. Clarified the mitigation."
},
{
"date": "2020-12-04T15:21:28+00:00",
"number": "3.0.0",
"summary": "Added information about the enhancement CSCvw48062."
},
{
"date": "2021-05-12T14:16:53+00:00",
"number": "4.0.0",
"summary": "Added fixed release information. Added Universal Windows Platform information."
},
{
"date": "2021-05-21T18:06:37+00:00",
"number": "4.1.0",
"summary": "Updated the BypassDownloader tagging examples to include the closing \"/\" in three instances."
}
],
"status": "final",
"version": "4.1.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_family",
"name": "Cisco Secure Client",
"product": {
"name": "Cisco Secure Client ",
"product_id": "CSAFPID-109810"
}
}
],
"category": "vendor",
"name": "Cisco"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-3556",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCvv30103"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-109810"
]
},
"release_date": "2020-11-04T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-109810"
],
"url": "https://software.cisco.com"
},
{
"category": "workaround",
"details": "Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062\"] via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.\r\n\r\nThe settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations [\"#Recommendations\"] section of this advisory.\r\n Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093\r\nReleases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv30103\"] with no additional configuration required. See the Recommendations [\"#Recommendations\"] section for additional optional but recommended settings.\r\n Upgrade instructions for systems where workarounds were previously applied\r\nThis section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html\"] or Configuration Guide [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/deploy-anyconnect.html?bookSearch=true\"].\r\n\r\nThe following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:\r\n\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS: /opt/cisco/anyconnect/\r\nLinux: /opt/cisco/anyconnect/\r\n\r\n AnyConnect Secure Mobility Client Software Release AnyConnectLocalPolicy.xml Settings Instructions\r\nEarlier than 4.9.04053\r\n\r\nPreviously deployed AnyConnectLocalPolicy.xml settings:\r\n\r\nBypassDownloader= true\r\n\r\nNew AnyConnectLocalPolicy.xml settings:\r\n\r\nBypassDownloader=false\r\n\r\n\r\nUpgrade to 4.10 using a predeploy method.\r\nRedistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.\r\nApply the new 4.10 settings shown in the Recommendations [\"#Recommendations\"] section.\r\n\r\n\r\n4.9.04053, 4.9.05042, 4.9.06037\r\n\r\nPreviously deployed AnyConnectLocalPolicy.xml settings:\r\n\r\nRestrictScriptWebDeploy=true\r\nRestrictHelpWebDeploy=true\r\nRestrictResourceWebDeploy=true\r\nRestrictLocalizationWebDeploy=true\r\nBypassDownloader=false\r\n\r\nNew AnyConnectLocalPolicy.xml settings:\r\n\r\nRestrictScriptWebDeploy=false\r\nRestrictHelpWebDeploy=false\r\nRestrictResourceWebDeploy=false\r\nRestrictLocalizationWebDeploy=false\r\nBypassDownloader=false\r\n\r\n\r\nUpgrade to 4.10 using either a predeploy or webdeploy method.\r\nRedistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.\r\nApply the new 4.10 settings shown in the Recommendations [\"#Recommendations\"] section.\r\n\r\n\r\n1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.\r\n Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037 For customers who have already applied the RestrictScriptWebDeploy workaround\r\nFor customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.\r\n\r\nTo restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations [\"#Recommendations\"] section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.\r\n For customers who cannot upgrade to Release 4.10.00093 or later\r\nFor customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment.\r\n\r\nThere are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes [\"https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/release/notes/release-notes-anyconnect-4-9.html#Cisco_Reference.dita_79c2fd57-db64-4449-9072-26e62e46630b\"] or Cisco bug ID CSCvw48062 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw48062\"]. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.\r\n\r\nRestrictScriptWebDeploy\r\nRestrictHelpWebDeploy\r\nRestrictResourceWebDeploy\r\nRestrictLocalizationWebDeploy\r\n\r\nThe following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.\r\n\r\nFind the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS:/opt/cisco/anyconnect/\r\nLinux:/opt/cisco/anyconnect/\r\n\r\nOpen the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:\r\n\u003cRestrictScriptWebDeploy\u003efalse\u003c/RestrictScriptWebDeploy\u003e\r\n\u003cRestrictHelpWebDeploy\u003efalse\u003c/RestrictHelpWebDeploy\u003e \u003cRestrictResourceWebDeploy\u003efalse\u003c/RestrictResourceWebDeploy\u003e \u003cRestrictLocalizationWebDeploy\u003efalse\u003c/RestrictLocalizationWebDeploy\u003e\r\n\r\nChange that setting to true, as shown in the following example:\r\n\u003cRestrictScriptWebDeploy\u003etrue\u003c/RestrictScriptWebDeploy\u003e\r\n\u003cRestrictHelpWebDeploy\u003etrue\u003c/RestrictHelpWebDeploy\u003e \u003cRestrictResourceWebDeploy\u003etrue\u003c/RestrictResourceWebDeploy\u003e \u003cRestrictLocalizationWebDeploy\u003etrue\u003c/RestrictLocalizationWebDeploy\u003e\r\n\r\nVerify that the BypassDownloader setting is correct by looking for the following line:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nIf the BypassDownloader setting is true, change it to false, as shown in the following example:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nSave the file to the original location. The network paths are noted above.\r\nRestart the VPN Agent service or reboot the client machine.\r\n\r\n Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053 For customers who have already applied the BypassDownloader mitigation\r\nFor customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations [\"#Recommendations\"] section.\r\n For customers who cannot upgrade to Release 4.10.00093 or later\r\nFor customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.\r\n\r\nWarning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.\r\n\r\nNote: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:\r\n\r\nAll future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.\r\nAnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.\r\n\r\nThe procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.\r\n\r\nFind the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:\r\nWindows:\u003cDriveLetter\u003e:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\\r\nmacOS:/opt/cisco/anyconnect/\r\nLinux: /opt/cisco/anyconnect/\r\n\r\nOpen the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:\r\n\r\n\u003cBypassDownloader\u003efalse\u003c/BypassDownloader\u003e\r\n\r\nChange that setting to true, as shown in the following example:\r\n\r\n\u003cBypassDownloader\u003etrue\u003c/BypassDownloader\u003e\r\n\r\nSave the file to the original location. The network paths are noted above.\r\nRestart the VPN Agent service or reboot the client machine.",
"product_ids": [
"CSAFPID-109810"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-109810"
]
}
],
"title": "Cisco AnyConnect Secure Mobility Client Arbitrary Script Execution Vulnerability"
}
]
}
var-202011-1023
Vulnerability from variot
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability. Cisco AnyConnect Secure Mobility Client There are unspecified vulnerabilities in the software.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Cisco AnyConnect Secure Mobility Client for Linux, etc. are all products of Cisco (Cisco). Cisco AnyConnect Secure Mobility Client for Linux is a Linux-based secure mobile client that provides secure access to networks and applications from any device. Cisco AnyConnect Secure Mobility Client for Android is a secure mobile client based on the Android platform that provides secure access to networks and applications from any device. Cisco AnyConnect Secure Mobility Client for Windows is a Windows-based secure mobile client that provides secure access to networks and applications from any device
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202011-1023",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "anyconnect secure mobility client",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "98.145\\(86\\)"
},
{
"model": "anyconnect secure mobility client",
"scope": "eq",
"trust": 1.0,
"vendor": "cisco",
"version": "4.9\\(3052\\)"
},
{
"model": "cisco anyconnect secure mobility client",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-013361"
},
{
"db": "NVD",
"id": "CVE-2020-3556"
}
]
},
"cve": "CVE-2020-3556",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.4,
"id": "CVE-2020-3556",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.4,
"id": "VHN-181681",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:L/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.3,
"id": "CVE-2020-3556",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.3,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2020-3556",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-3556",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "ykramarz@cisco.com",
"id": "CVE-2020-3556",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2020-3556",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202011-332",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-181681",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-3556",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-181681"
},
{
"db": "VULMON",
"id": "CVE-2020-3556"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013361"
},
{
"db": "CNNVD",
"id": "CNNVD-202011-332"
},
{
"db": "NVD",
"id": "CVE-2020-3556"
},
{
"db": "NVD",
"id": "CVE-2020-3556"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability. Cisco AnyConnect Secure Mobility Client There are unspecified vulnerabilities in the software.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Cisco AnyConnect Secure Mobility Client for Linux, etc. are all products of Cisco (Cisco). Cisco AnyConnect Secure Mobility Client for Linux is a Linux-based secure mobile client that provides secure access to networks and applications from any device. Cisco AnyConnect Secure Mobility Client for Android is a secure mobile client based on the Android platform that provides secure access to networks and applications from any device. Cisco AnyConnect Secure Mobility Client for Windows is a Windows-based secure mobile client that provides secure access to networks and applications from any device",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-3556"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013361"
},
{
"db": "VULHUB",
"id": "VHN-181681"
},
{
"db": "VULMON",
"id": "CVE-2020-3556"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-3556",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013361",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202011-332",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.3822",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3822.4",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-181681",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-3556",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-181681"
},
{
"db": "VULMON",
"id": "CVE-2020-3556"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013361"
},
{
"db": "CNNVD",
"id": "CNNVD-202011-332"
},
{
"db": "NVD",
"id": "CVE-2020-3556"
}
]
},
"id": "VAR-202011-1023",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-181681"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:37:12.633000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "cisco-sa-anyconnect-ipc-KfQO9QhK",
"trust": 0.8,
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
},
{
"title": "Cisco AnyConnect Secure Mobility Client IPC Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=132761"
},
{
"title": "Cisco: Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts\u0026qid=cisco-sa-anyconnect-ipc-KfQO9QhK"
},
{
"title": "sec-daily-2020",
"trust": 0.1,
"url": "https://github.com/alphaSeclab/sec-daily-2020 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-3556"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013361"
},
{
"db": "CNNVD",
"id": "CNNVD-202011-332"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.0
},
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "Lack of information (CWE-noinfo) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-013361"
},
{
"db": "NVD",
"id": "CVE-2020-3556"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-anyconnect-ipc-kfqo9qhk"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-3556"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3822/"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/cisco-anyconnect-secure-mobility-client-code-execution-via-ipc-33812"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3822.4/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-181681"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013361"
},
{
"db": "CNNVD",
"id": "CNNVD-202011-332"
},
{
"db": "NVD",
"id": "CVE-2020-3556"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-181681"
},
{
"db": "VULMON",
"id": "CVE-2020-3556"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013361"
},
{
"db": "CNNVD",
"id": "CNNVD-202011-332"
},
{
"db": "NVD",
"id": "CVE-2020-3556"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-11-06T00:00:00",
"db": "VULHUB",
"id": "VHN-181681"
},
{
"date": "2020-11-06T00:00:00",
"db": "VULMON",
"id": "CVE-2020-3556"
},
{
"date": "2021-06-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-013361"
},
{
"date": "2020-11-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202011-332"
},
{
"date": "2020-11-06T19:15:14.657000",
"db": "NVD",
"id": "CVE-2020-3556"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-11-20T00:00:00",
"db": "VULHUB",
"id": "VHN-181681"
},
{
"date": "2020-11-20T00:00:00",
"db": "VULMON",
"id": "CVE-2020-3556"
},
{
"date": "2021-06-28T08:08:00",
"db": "JVNDB",
"id": "JVNDB-2020-013361"
},
{
"date": "2021-05-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202011-332"
},
{
"date": "2024-11-21T05:31:18.510000",
"db": "NVD",
"id": "CVE-2020-3556"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202011-332"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco\u00a0AnyConnect\u00a0Secure\u00a0Mobility\u00a0Client\u00a0 Software vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-013361"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202011-332"
}
],
"trust": 0.6
}
}
ghsa-v6p8-gw74-vfg4
Vulnerability from github
Published
2022-05-24 17:33
Modified
2022-05-24 17:33
VLAI Severity ?
Details
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-3556"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-06T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability.",
"id": "GHSA-v6p8-gw74-vfg4",
"modified": "2022-05-24T17:33:21Z",
"published": "2022-05-24T17:33:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3556"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
}
],
"schema_version": "1.4.0",
"severity": []
}
gsd-2020-3556
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-3556",
"description": "A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability.",
"id": "GSD-2020-3556"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-3556"
],
"details": "A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability.",
"id": "GSD-2020-3556",
"modified": "2023-12-13T01:22:10.577925Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2020-11-04T16:00:00",
"ID": "CVE-2020-3556",
"STATE": "PUBLIC",
"TITLE": "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco AnyConnect Secure Mobility Client ",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability."
}
]
},
"exploit": [
{
"lang": "eng",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. "
}
],
"impact": {
"cvss": {
"baseScore": "7.3",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H ",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20201104 Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
}
]
},
"source": {
"advisory": "cisco-sa-anyconnect-ipc-KfQO9QhK",
"defect": [
[
"CSCvv30103"
]
],
"discovery": "INTERNAL"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:4.9\\(3052\\):*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:98.145\\(86\\):*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"ID": "CVE-2020-3556"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run. Cisco has not released software updates that address this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20201104 Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability",
"refsource": "CISCO",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.9
}
},
"lastModifiedDate": "2020-11-20T16:54Z",
"publishedDate": "2020-11-06T19:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…