Cisco issues fixes for active exploits of its Windows VPN clients

Cisco is offering software updates for two of its AnyConnect for Windows products it says are actively being exploited in the field.

AnyConnect for Windows is security software package, in this case for Windows machines, that sets up VPN connectivity, provides access control and supports other endpoint security features. Cisco said AnyConnect products for MacOS, Linux are not affected.

Cisco said its Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability, which is described in this advisory.

“In October 2022, the Cisco PSIRT became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability,” the vendor said in its alert for both vulnerabilities.

There are no workarounds for the problems, but software updates are available to address them, Cisco stated.

The first vulnerability involves a weakness  in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows that could let an authenticated local attacker perform a Microsoft Dynamic Link Libranry (DLL) hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system, Cisco stated.

“The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process,” Cisco stated.  “A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.”

Cisco fixed this vulnerability in Cisco AnyConnect Secure Mobility Client for Windows releases 4.9.00086 and later.

The second vulnerability is in the installer component of Cisco AnyConnect Secure Mobility Client for Windows that could allow an authenticated local attacker to copy user-supplied files to system-level directories with system level privileges.

The vulnerability is due to the incorrect handling of directory paths, Cisco stated. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory.

“This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system,” Cisco stated.

Cisco AnyConnect Secure Mobility Client for Windows releases 4.8.02042 and later contained the fix for this vulnerability.

In addition to the Windows weakness, Cisco  recently patched a vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices.

This vulnerability, which is not known to be exploited in the wild,  is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session, Cisco stated.

“An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device,” Cisco stated.  “A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and re-authenticate. A sustained attack could prevent new SSL VPN connections from being established,” Cisco stated.

When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention, Cisco noted.

Cisco Meraki has released software updates that address this vulnerability and there are no workarounds.

READ MORE HERE