Skip to content
Get A Demo
Free SIEM
    November 9, 2020

    Cisco AnyConnect VPN Zero-Day (CVE-2020-3556)

    Last week, Cisco disclosed a zero-day vulnerability (CVE-2020-3556) that has proof-of-concept exploit code publicly available. It affects their AnyConnect Secure Mobility Client software, an endpoint tool that connects users to enterprise networks via virtual private network (VPN). The vulnerability was reported by Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt).

    Free Trial: Detect AnyConnect Threats

    How It Works

    A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client allows for an authenticated and local attacker to execute malicious scripts via a targeted user.

    Due to lack of authentication to the IPC listener, an attacker could exploit this vulnerability by sending IPC messages to the AnyConnect client IPC listener – resulting in script execution with the privileges of a targeted AnyConnect user, according to Cisco.

    For successful exploitation, an attacker would need valid user credentials of the system running the AnyConnect client. They would also need to log into the system during an active AnyConnect session, and gain access to privileges to execute code on that system.

    Who is Affected

    CVE-2020-3556 affects the AnyConnect Secure Mobility Client for Linux, MacOS, and Windows if they have Bypass Downloader set to its default value of false.

    You can verify your Bypass Downloader configuration by opening AnyConnectLocalPolicy.xml file and searching for <BypassDownloader>false</BypassDownloader>

    If your Bypass Downloader is set to true, the device is not affected by this vulnerability, according to Cisco.

    This vulnerability doesn’t affect the AnyConnect client for Apple iOS or Android.

    Mitigation for CVE-2020-3556

    There are currently no software updates available to address the AnyConnect zero-day, CVE-2020-3556. Cisco plans to fix this vulnerability in a future release of Cisco AnyConnect Secure Mobility Client software.

    Additional Resources

    Cisco’s Security Advisory for CVE-2020-3556

    AnyConnect Integration

    Blumira’s cloud SIEM integrates easily with Cisco AnyConnect to start detecting threats immediately and automating response. Learn more about Blumira’s Cisco AnyConnect integration (logs delivered through ASA firewall & FTD Firepower Threat Defense).

    Get a free 14-day trial and deploy in hours to realize value right away:

    New call-to-action

    Tag(s): Security Alerts , Blog , CVE

    Thu Pham

    Thu has over 15 years of experience in the information security and technology industries. Prior to joining Blumira, she held both content and product marketing roles at Duo Security, leading go-to-market (GTM) and messaging for the portfolio solution Cisco Zero Trust. She holds a bachelor of science degree in...

    More from the blog

    View All Posts