==================================================================== CERT-Renater Note d'Information No. 2020/VULN658 _____________________________________________________________________ DATE : 07/12/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Cisco AnyConnect Secure Mobility Client Software versions prior to 4.9.04053. ===================================================================== https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK _____________________________________________________________________ Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability High Advisory ID: cisco-sa-anyconnect-ipc-KfQO9QhK First Published: 2020 November 4 16:00 GMT Last Updated: 2020 December 4 15:21 GMT Version 3.0: Final Workarounds: Yes Cisco Bug IDs: CSCvv30103 CVSS Score: Base 7.3 CVE-2020-3556 CWE-20 Summary A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. Note: To successfully exploit this vulnerability, an attacker would need all of the following: Valid user credentials on the system on which the AnyConnect client is being run by the targeted user. To be able to log in to that system while the targeted user either has an active AnyConnect session established or establishes a new AnyConnect session. To be able to execute code on that system. Cisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK Affected Products Vulnerable Products This vulnerability affects all versions of the Cisco AnyConnect Secure Mobility Client Software for the following platforms if they have a vulnerable configuration. AnyConnect Secure Mobility Client for Windows AnyConnect Secure Mobility Client for MacOS AnyConnect Secure Mobility Client for Linux Note: The following configuration settings are located in the AnyConnectLocalPolicy.xml file. The AnyConnectLocalPolicy.xml file can be found at the following locations: Windows::\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ macOS: /opt/cisco/anyconnect/ Linux: /opt/cisco/anyconnect/ Cisco AnyConnect Secure Mobility Client Software 4.9.04053 and Later This vulnerability affects all versions of the Cisco AnyConnect Secure Mobility Client Software 4.9.04053 and later if RestrictScriptWebDeploy is set to the default value of false. To verify the RestrictScriptWebDeploy configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line: false If RestrictScriptWebDeploy is set to false, the RestrictScriptWebDeploy is disabled and the device is affected by this vulnerability. If RestrictScriptWebDeploy is set to true, the RestrictScriptWebDeploy is enabled and the device is not affected by this vulnerability. See the Workarounds section for additional optional but recommended settings. Cisco AnyConnect Secure Mobility Client Software Earlier than 4.9.04053 This vulnerability affects all versions of the Cisco AnyConnect Secure Mobility Client Software earlier than 4.9.04053 if BypassDownloader is set to the default value of false. To verify the BypassDownloader configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line: false If Bypass Downloader is set to false, the BypassDownloader is disabled and the device is affected by this vulnerability. If BypassDownloader is set to true, the BypassDownloader is enabled and the device is not affected by this vulnerability. Note: Setting the BypassDownloader to true is not a recommended configuration. See the Workarounds section for more details. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. This vulnerability does not affect Cisco AnyConnect Secure Mobility Client for the Apple iOS and Android platforms. Details Details about the vulnerability are as follows. This vulnerability is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device. This vulnerability is not remotely exploitable, as it requires local credentials on the end-user device for the attacker to take action on the local system. This vulnerability is not a privilege elevation exploit. The scripts run at the user level by default. If the local AnyConnect user manually raises the privilege of the User Interface process, the scripts would run at elevated privileges. This vulnerability’s CVSS score is high because, for configurations where the vulnerability is exploitable, it allows one user access to another user’s data and execution space. Workarounds Workarounds that address this vulnerability were introduced in Defect CSCvw48062. The recommended workaround is to upgrade to Release 4.9.04053 and edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true. Ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment. There are additional configuration settings for Release 4.9.04053 and later that are strongly recommended to be set for increased protection. The full set of custom web-deploy restrictions are listed below. For more details on the new configuration settings and implications of their use, refer to the Release Notes or CSCvw48062. RestrictScriptWebDeploy RestrictHelpWebDeploy RestrictResourceWebDeploy RestrictLocalizationWebDeploy Cisco AnyConnect Secure Mobility Client Software 4.9.04053 and Later The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights. Find the AnyConnectLocalPolicy.xml file on the client machine. This file can be found at the following locations: Windows::\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ macOS:/opt/cisco/anyconnect/ Linux:/opt/cisco/anyconnect/ Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines: falsefalsefalsefalse Change that setting to true, as shown in the following example: truetruetruetrue Verify that the BypassDownloader setting is correct by looking for the following line: false If the BypassDownloader setting is true, change it to false, as shown in the following example: false Save the file to the original location. The network paths are noted above. Restart the VPN Agent service or reboot the client machine. Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053 For customers who have already applied the BypassDownloader mitigation For customers who have already applied the BypassDownloader mitigation on a version earlier than Release 4.9.04053, nothing further needs to be done to be protected against the exploit. Since this mitigation is not recommended, customers could upgrade to Release 4.9.04053 out-of-band and follow the Release 4.9.04053 recommended workaround listed above. This would allow profile updates and future software upgrades while protecting against the exploit. For customers who cannot upgrade to Release 4.9.04053 For customer who cannot upgrade to Release 4.9.04053 and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the Bypass Downloader setting is a possible mitigation. Warning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend. Note: Enabling the Bypass Downloader setting can be done only out-of-band on the client devices and has a couple of implications: All future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device. AnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection. The procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to theAnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights. Find the AnyConnectLocalPolicy.xml file on the client machine. This file can be found at the following locations: Windows::\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ macOS:/opt/cisco/anyconnect/ Linux: /opt/cisco/anyconnect/ Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following line: false Change that setting to true, as shown in the following example: true Save the file to the original location. The network paths are noted above Restart the VPN Agent service or reboot the client machine. Fixed Software Cisco will release free software updates that will address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco has released software updates that provide a workaround for the vulnerability described in this advisory via enhancement CSCvw48062. CSCvw48062 provides the four new web-deploy settings used in the workaround. Cisco will fix this vulnerability in a future release of Cisco AnyConnect Secure Mobility Client Software. Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory. Source Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt) for reporting this vulnerability. URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK Revision History Version Description Section Status Date 3.0 Added information about the enhancement CSCvw48062. Summary, Vulnerable Products, Work Arounds, Fixed Releases Final 2020-DEC-04 2.2 Added additional details on the vulnerability. Clarified the mitigation. Details, Workarounds Final 2020-NOV-10 2.1 Clarified mitigation information. Workarounds Final 2020-NOV-09 2.0 Clarified the requirements for a successful attack. Corrected information about vulnerable configurations and mitigations. Summary, Vulnerable Products, Workarounds Final 2020-NOV-05 1.0 Initial public release. — Final 2020-NOV-04 Legal Disclaimer THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================