====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN605
_____________________________________________________________________

DATE                : 06/11/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cisco AnyConnect Secure Mobility
                                    Client Software.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK
_____________________________________________________________________

Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution
Vulnerability

High

Advisory ID:       cisco-sa-anyconnect-ipc-KfQO9QhK
First Published:   2020 November 4 16:00 GMT
Last Updated:      2020 November 5 22:27 GMT
Version 2.0:       Final
Workarounds:       No workarounds available
Cisco Bug IDs:     CSCvv30103
CVSS Score:        Base 7.3

CVE-2020-3556
CWE-20


Summary

    A vulnerability in the interprocess communication (IPC) channel of
Cisco AnyConnect Secure Mobility Client Software could allow an
authenticated, local attacker to cause a targeted AnyConnect user to
execute a malicious script.

    The vulnerability is due to a lack of authentication to the IPC
listener. An attacker could exploit this vulnerability by sending
crafted IPC messages to the AnyConnect client IPC listener. A successful
exploit could allow an attacker to cause the targeted AnyConnect user to
execute a script. This script would execute with the privileges of the
targeted AnyConnect user.

    Note: To successfully exploit this vulnerability, an attacker would
need all of the following:
        Valid user credentials on the system on which the AnyConnect
client is being run by the targeted user.
        To be able to log in to that system while the targeted user
either has an active AnyConnect session established or establishes a new
AnyConnect session.
        To be able to execute code on that system.

    Cisco has not released software updates that address this
vulnerability. There are no workarounds that address this vulnerability.

    This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK


Affected Products

    Vulnerable Products

    This vulnerability affects all versions of the Cisco AnyConnect
Secure Mobility Client Software for the following platforms if they have
Bypass Downloader set to its default value of false:
        AnyConnect Secure Mobility Client for Linux
        AnyConnect Secure Mobility Client for MacOS
        AnyConnect Secure Mobility Client for Windows

    To verify the Bypass Downloader configuration on a VPN client
system, open the AnyConnectLocalPolicy.xml file and look for the
following line:

        <BypassDownloader>false</BypassDownloader>

    If Bypass Downloader is set to false, as in the preceding example,
Bypass Downloader is disabled and the device is affected by this
vulnerability. If Bypass Downloader is set to true, Bypass Downloader is
enabled and the device is not affected by this vulnerability.

    Note: The AnyConnectLocalPolicy.xml file can be found at the
following location:
        Linux: /opt/cisco/anyconnect/
        macOS: /opt/cisco/anyconnect/
        Windows: <DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect
Secure Mobility Client\
    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this
advisory are known to be affected by this vulnerability.

    This vulnerability does not affect Cisco AnyConnect Secure Mobility
Client for the Apple iOS and Android platforms.


Workarounds

    There are no workarounds that address this vulnerability.

    Customers who do not require updated content on the VPN head-end
device to be downloaded to the client can enable the Bypass Downloader
setting.

    Note: Enabling the Bypass Downloader setting can be done only
out-of-band on the client devices and has a couple of implications:
        All future updates to either Cisco AnyConnect Secure Mobility
Client Software or the AnyConnect profile would have to be done
out-of-band. AnyConnect will no longer download updated content from the
head-end device.

        AnyConnect profiles would still need to be in sync between the
head-end device and the client. Otherwise a VPN connection could be
established with default settings.

    To enable the Bypass Downloader setting, do the following:

        Find the AnyConnectLocalPolicy.xml file on the client machine.
This file can be found at the following location:
                Linux: /opt/cisco/anyconnect/
                macOS: /opt/cisco/anyconnect/
                Windows: <DriveLetter>:\ProgramData\Cisco\Cisco
AnyConnect Secure Mobility Client\

        Open the AnyConnectLocalPolicy.xml file in a text editor and
look for the following line:

            <BypassDownloader>false</BypassDownloader>

        Change that setting to true, as shown in the following example:

            <BypassDownloader>true</BypassDownloader>

        Save the file to the original location.
        Restart the VPN Agent service or reboot the client machine.


Fixed Software

    Cisco will release free software updates that will address the
vulnerability described in this advisory. Customers may only install and
expect support for software versions and feature sets for which they
have purchased a license. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to follow the
terms of the Cisco software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they
have a valid license, procured from Cisco directly, or through a Cisco
authorized reseller or partner. In most cases this will be a maintenance
upgrade to software that was previously purchased. Free security
software updates do not entitle customers to a new software license,
additional software feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to
regularly consult the advisories for Cisco products, which are available
from the Cisco Security Advisories page, to determine exposure and a
complete upgrade solution.

    In all cases, customers should ensure that the devices to be
upgraded contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their contracted
maintenance providers.


    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of entitlement
to a free upgrade.


    Fixed Releases

    Cisco has not released software updates that address this
vulnerability. Cisco plans to fix this vulnerability in a future release
of Cisco AnyConnect Secure Mobility Client Software.


Exploitation and Public Announcements

    The Cisco Product Security Incident Response Team (PSIRT) is aware
that proof-of-concept exploit code is available for the vulnerability
described in this advisory.

    The Cisco PSIRT is not aware of any malicious use of the
vulnerability that is described in this advisory.


Source

    Cisco would like to thank Gerbert Roitburd from Secure Mobile
Networking Lab (TU Darmstadt) for reporting this vulnerability.


URL


https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK


Revision History

Version 	Description 	Section 	Status 	Date

 2.0 	Clarified the requirements for a successful attack. Corrected
information about vulnerable configurations and mitigations. 	Summary,
Vulnerable Products, Workarounds 	Final 	2020-NOV-05

 1.0 	Initial public release. 	— 	Final 	2020-NOV-04


Legal Disclaimer

    THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT
YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that
omits the distribution URL is an uncontrolled copy and may lack
important information or contain factual errors. The information in this
document is intended for end users of Cisco products.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================