AnyConnect VPN Suffers From Zero-Day Exploit and Cisco Offers Workaround

• Cisco’s researchers have found a zero-day flaw in AnyConnect Secure Mobility Client VPN.
• The vulnerability isn’t being under exploitation, but this could change any time now.
• The admins can set the configuration to a more secure setting while waiting for a fixing patch.

Cisco has disclosed the existence of a zero-day vulnerability in the ‘AnyConnect Security Mobility Client’ VPN, which they discovered themselves. The networking hardware, software, and telecommunications equipment experts have even published a proof of concept code to demonstrate the flaw, but they also offered mitigation advice to ensure that all clients are safe against potential attack attempts.

Cisco AnyConnect VPN is a widely used product that empowers remote workers and businesses to continue to operate as usual during this pandemic situation. Thus, its deployment has risen in 2020, and it’s more crucial than it ever was. According to the report, the bug affects the Linux, Windows, and macOS versions of the software, but not the iOS or Android clients.

The problem lies in the software's interprocess communication channel that could allow an authenticated local attacker to execute malicious code targeting another user. The attacker would need to craft a malicious IPC message and send it to the IPC listener of the target client. The message could trigger a script's execution without requiring authentication, while the privileges of the execution would match that of the targeted user.

Related: The Vast Majority of Exploits Become Available Before CVEs Are Published

Cisco explains that the problem doesn't affect the VPN tool's default configurations, but only those that have enabled both the scripting setting and the auto-update setting. The scripting setting should be set to "disabled" by default, but admins may want to double-check that now through: "Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile."

There are no fixing patches out yet, and neither are there any workarounds to address the vulnerability. However, Cisco's engineers have shared a mitigation, which is to disable the Auto-Update feature and leave it to "off" until a patch is out. If this is impossible, the next best thing would be to disable the scripting setting, at least reducing the attack surface.

The firm’s product security incident response team (PSIRT) hasn’t found any evidence that this flaw is being under active exploitation in the wild, but since the relevant security advisory is published, this may change soon. That said, looking closely at the VPN’s settings and applying the mitigation should be done at the first chance you get.