Cisco also disclosed higher-severity vulnerabilities in its Webex and SD-WAN goods.
Cisco has disclosed a zero-working day vulnerability – for which there is not nevertheless a patch – in the Windows, macOS and Linux variations of its AnyConnect Secure Mobility Customer Program.
Even though Cisco said it is not informed of any exploits in the wild for the vulnerability, it stated Evidence-of-Thought (PoC) exploit code has been introduced, opening up risks of cybercriminals most likely leveraging the flaw. The flaw (CVE-2020-3556) is an arbitrary code execution vulnerability with a CVSS score of 7.3 out of 10, building it superior severity.
“Cisco has not launched software updates that deal with this vulnerability,” according to Cisco’s Wednesday advisory. “Cisco plans to deal with this vulnerability in a future launch of Cisco AnyConnect Protected Mobility Customer Software.”
AnyConnect Protected Mobility Consumer, a modular endpoint computer software item, gives a wide assortment of security services (this sort of as distant entry, web security features, and roaming protection) for endpoints.
The flaw could let an attacker to result in a targeted AnyConnect user to execute a malicious script – nonetheless, in get to start an attack a cybercriminal would need to be authenticated and on the community network.
“In purchase to correctly exploit this vulnerability, there ought to be an ongoing AnyConnect session by the qualified person at the time of the attack,” in accordance to Cisco. “To exploit this vulnerability, the attacker would also want legitimate consumer credentials on the procedure on which the AnyConnect customer is currently being operate.”
In accordance to Cisco, the vulnerability exists in the interprocess interaction (IPC) channel. IPC is a established of programming interfaces that makes it possible for a software to handle a lot of person requests at the similar time. Specifically in this case, the IPC listener has a lack of authentication.
“An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect consumer IPC listener,” in accordance to Cisco. “A prosperous exploit could make it possible for an attacker to result in the qualified AnyConnect person to execute a script. This script would execute with the privileges of the specific AnyConnect person.”
Though there are no workarounds that tackle this vulnerability, one mitigation is to disable the Vehicle Update and Help Scripting characteristics. That is mainly because a vulnerable configuration demands both equally the Vehicle Update environment and Empower Scripting environment to be enabled. Automobile Update is enabled by default, and Help Scripting is disabled by default, mentioned Cisco.
Gerbert Roitburd from Secure Cell Networking Lab (TU Darmstadt) was credited with reporting the vulnerability.
Cisco on Wednesday issued updates for 13 other substantial-severity CVEs throughout many products and solutions. That features an arbitrary code execution flaw (CVE-2020-3588) in Cisco’s Webex Conferences Desktop collaboration app, as well as 3 arbitrary code execution glitches (CVE-2020-3573, CVE-2020-3603, CVE-2020-3604) in its Webex Network Recording Participant and Webex Participant.
Flaws tied to seven CVEs were also found in Cisco SD-WAN, together with a file creation bug (CVE-2020-26071), privilege escalation flaw (CVE-2020-26074) and denial-of-assistance (DoS) flaw (CVE-2020-3574).
Hackers Set Bullseye on Health care: On Nov. 18 at 2 p.m. EDT find out why hospitals are acquiring hammered by ransomware attacks in 2020. Save your location for this No cost webinar on health care cybersecurity priorities and listen to from primary security voices on how info security, ransomware and patching need to have to be a precedence for every single sector, and why. Be a part of us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, restricted-engagement webinar.
Some parts of this article are sourced from:
threatpost.com