Threat actors are reportedly using the Cisco AnyConnect Secure Mobility Client for Windows’ vulnerabilities, CVE-2020-3433 and CVE-2020-3153, in the field. These flaws give the attacker access to the system folders of the affected Windows machines and the ability to copy files there with system privileges.

Affected Products: Cisco AnyConnect Secure Mobility Client for Windows releases prior to Release 4.9.00086

CVE-2020-3433 –  A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process.

A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

CVSS Score: 7.8 

Severity: High

CVE-2020-3153 – A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks.

To exploit this vulnerability, the attacker needs valid credentials on the Windows system.

CVSS Score: 6.5

Severity: Medium

Recommendation

Organizations should apply the latest security updates as soon as possible to mitigate potential risks.

Sources

• https://www.cert-in.org.in/s2cMainServlet?pageid=PUBADV01&CACODE=CICA-2022-3114
• https://www.securityweek.com/cisco-confirms-wild-exploitation-two-vpn-vulnerabilities