Last week, Cisco disclosed a zero-day vulnerability (CVE-2020-3556) that has proof-of-concept exploit code publicly available. It affects their AnyConnect Secure Mobility Client software, an endpoint tool that connects users to enterprise networks via virtual private network (VPN). The vulnerability was reported by Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt).

How It Works

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client allows for an authenticated and local attacker to execute malicious scripts via a targeted user.

Due to lack of authentication to the IPC listener, an attacker could exploit this vulnerability by sending IPC messages to the AnyConnect client IPC listener – resulting in script execution with the privileges of a targeted AnyConnect user, according to Cisco.

For successful exploitation, an attacker would need valid user credentials of the system running the AnyConnect client. They would also need to log into the system during an active AnyConnect session, and gain access to privileges to execute code on that system.

Who is Affected

CVE-2020-3556 affects the AnyConnect Secure Mobility Client for Linux, MacOS, and Windows if they have Bypass Downloader set to its default value of false.

You can verify your Bypass Downloader configuration by opening AnyConnectLocalPolicy.xml file and searching for <BypassDownloader>false</BypassDownloader>

If your Bypass Downloader is set to true, the device is not affected by this vulnerability, according to Cisco.

This vulnerability doesn’t affect the AnyConnect client for Apple iOS or Android.

Mitigation for CVE-2020-3556

There are currently no software updates available to address the AnyConnect zero-day, CVE-2020-3556. Cisco plans to fix this vulnerability in a future release of Cisco AnyConnect Secure Mobility Client software.

Additional Resources

Cisco’s Security Advisory for CVE-2020-3556

Security news and stories right to your inbox!