PoC exploit released for Cisco AnyConnect, Secure Client vulnerability (CVE-2023-20178)

Proof-of-concept (PoC) exploit code for the high-severity vulnerability (CVE-2023-20178) in Cisco Secure Client Software for Windows and Cisco AnyConnect Secure Mobility Client Software for Windows has been published.

About the vulnerability

Cisco Secure Client Software – previously known as Cisco AnyConnect Secure Mobility Client – is unified endpoint security software designed to assist businesses in expanding their network access capabilities and enabling remote employees to connect via both wired and wireless connections, including VPN.

In early June, Cisco published a security advisory about CVE-2023-20178, a vulnerability in the client update process of both Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows.

“This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges,” the Cisco advisory revealed.

The vulnerability has been reported by security researcher Filip Dragović. Since there are no workarounds, users have been advised to update the software as soon as possible, to either AnyConnect Secure Mobility Client for Windows 4.10MR7 or Cisco Secure Client Software for Windows 5.0MR2.

The flaw does not affect Cisco AnyConnect Secure Mobility Client and Cisco Secure Client for Linux and macOS, nor Cisco Secure Client-AnyConnect for Android and iOS.

CVE-2023-20178 PoC

On Thursday, Cisco confirmed that a PoC exploit has been published by the same researcher. Dragović tested the PoC on Cisco Secure Client 5.0.01242 and Cisco AnyConnect 4.10.06079.

“When a user connects to vpn, vpndownloader.exe process is started in background and it will create directory in c:\windows\temp with default permissions in following format: .tmp,” Dragović explained.

“After creating this directory vpndownloader.exe will check if that directory is empty and if it’s not it will delete all files/directories in there. This behaviour can be abused to perform arbitrary file delete as NT Authority\SYSTEM account.”

The vulnerability is easy to weaponize, but attackers must first gain access to the target system by other means to be able to exploit it and elevate their (initially low) privileges.