Cisco fixes AnyConnect bug giving Windows SYSTEM privileges

Cisco has fixed a high-severity vulnerability found in Cisco Secure Client (formerly AnyConnect Secure Mobility Client) software that can let attackers escalate privileges to the SYSTEM account used by the operating system.

Cisco Secure Client enables employees to work from anywhere via a secure Virtual Private Network (VPN) and provides admins with endpoint management and telemetry features.

Low-privileged, local attackers can exploit this security flaw (tracked as CVE-2023-20178) in low-complexity attacks that don't require user interaction.

"This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the upgrade process," Cisco says.

"An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process."

The bug was fixed in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.

According to Cisco, CVE-2023-20178 doesn't impact the following macOS, Linux, and mobile products:

• Cisco AnyConnect Secure Mobility Client for Linux
• Cisco AnyConnect Secure Mobility Client for MacOS
• Cisco Secure Client-AnyConnect for Android
• Cisco Secure Client AnyConnect VPN for iOS
• Cisco Secure Client for Linux
• Cisco Secure Client for MacOS

No signs of active exploitation

The company's Product Security Incident Response Team (PSIRT) is yet to find any evidence of malicious use in the wild or public exploit code targeting the bug.

In October, Cisco warned customers to patch two other AnyConnect security flaws—with public exploit code and addressed three years ago—due to in-the-wild exploitation.

The bugs (CVE-2020-3433 and CVE-2020-3153) let threat actors execute arbitrary code on targeted Windows devices with SYSTEM privileges when chained with other privilege escalation flaws.

As CISA also said when adding them to its list of known exploited bugs, "these types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise."

Two years ago, Cisco patched an AnyConnect zero-day (CVE-2020-3556) with public exploit code in May 2021 with a six-month delay after providing mitigation measures to decrease the attack surface when it was disclosed in November 2020.