A straightforward-to-use exploit was publicly launched this week for a patched vulnerability that impacts the broadly used Cisco AnyConnect Safe Mobility Consumer and Cisco Safe Consumer functions for Home windows. Attackers may leverage the exploit to raise their privileges on a sufferer’s system and take full management of it.
Cisco Safe Consumer for Home windows, beforehand referred to as Cisco AnyConnect Safe Mobility Consumer earlier than model 5.0, is an software that integrates with a number of Cisco endpoint safety and administration platforms and applied sciences together with its AnyConnect VPN and zero-trust community entry (ZTNA) platform, which is standard with enterprises.
The software program’s recognition has made it a goal for attackers earlier than. In October 2022, Cisco up to date its advisories for 2 privilege escalation vulnerabilities, which had been initially patched within the AnyConnect Consumer in 2020, to warn clients that they had been being exploited within the wild. On the identical time, the US Cybersecurity and Infrastructure Safety Company (CISA) added the issues, tracked as CVE-2020-3433 and CVE-2020-3153, to its Recognized Exploited Vulnerabilities Catalog that every one authorities companies have a deadline to patch.
Native privilege escalation vulnerabilities will not be rated with vital severity as a result of they require an attacker to have already got some entry to execute code on the working system. Nonetheless, this does not imply they aren’t severe or invaluable for attackers, particularly in a lateral motion context.
Workers who’ve the Cisco AnyConnect consumer on their company-issued computer systems to allow them to entry the group’s community by way of VPN do not sometimes have administrator privileges on their techniques. If attackers handle to trick a person to execute a bug, that code will run with their restricted privileges. That is perhaps sufficient for primary information theft from the person’s functions however will not enable for extra subtle assaults like dumping native credentials saved in Home windows that would doubtlessly enable them to entry different techniques. Right here is the place native privilege escalation flaws come into play.
The CVE-2023-20178 exploit
The privilege escalation vulnerability Cisco patched earlier this month is tracked as CVE-2023-20178 and is attributable to the replace mechanism of Cisco AnyConnect Safe Mobility Consumer and Cisco Safe Consumer for Home windows.
Researcher Filip Dragovic, who discovered and reported the flaw to Cisco, explains in his proof-of-concept exploit posted on GitHub that each time a person establishes a VPN connection, the consumer software program executes a file known as vpndownloader.exe. This course of creates a listing within the c:windowstemp folder with default permissions and checks to see if it has any recordsdata inside, for instance from a earlier replace. If any recordsdata are discovered, it would delete them, however this motion is carried out with the NT AuthoritySYSTEM account, the very best privileged account on Home windows techniques.
Attackers can simply exploit this motion through the use of symlinks (shortcuts) to different recordsdata they create leading to an arbitrary file delete problem. How does a file delete develop into a file execution? By abusing a little-known function of the Home windows Installer service. Researchers from Pattern Micro’s Zero Day Initiative described the method intimately again in March 2022 and credited it to a researcher named Abdelhamid Naceri, who discovered and reported a special vulnerability within the Home windows Person Profile Service that equally led to arbitrary file deletion with SYSTEM privileges.
“This exploit has broad applicability in circumstances the place you’ve gotten a primitive for deleting, transferring, or renaming an arbitrary empty folder within the context of SYSTEM or an administrator,” the Pattern Micro researchers mentioned on the time.
Cisco up to date its advisory for CVE-2023-20178 to warn customers {that a} public exploit is now accessible. The corporate urges clients to improve Cisco AnyConnect Safe Mobility Consumer for Home windows to model 4.10MR7 (4.10.07061) or later, and the Cisco Safe Consumer for Home windows to model 5.0MR2 (5.0.02075) or later.
Copyright © 2023 IDG Communications, Inc.
