Skip to main content

Cisco reveals major AnyConnect VPN security flaw

VPN
(Image credit: Shutterstock.com)

Cisco has revealed a zero-day vulnerability affecting its AnyConnect Secure Mobility Client software that has a proof-of-concept exploit code publicly available online.

The vulnerability, tracked as CVE-2020-3556, could allow a threat actor to run malicious code through a victim’s device. The flaw affects all client versions of AnyConnect operating across Windows, Linux and Mac operating systems.

According to Cisco’s internal security team, however, the security bug has not yet been exploited in the wild, and the good news is that devices running versions of AnyConnect with default configurations are not at risk. This particular security flaw requires both the Auto Update setting and the Enable Scripting settings to be enabled. By default, Enable Scripting is disabled.

Mitigation strategies

Cisco has pledged to release a free software update to address this vulnerability, although no timescale has been provided. There are currently no workarounds that address the bug, but mitigation options are available to users.

“A mitigation for this vulnerability is to disable the Auto Update feature. Additional details can be found in the Disabling AnyConnect Auto Update section of the Cisco AnyConnect Secure Mobility Client Administrator Guide,” the Cisco Security Advisory explained. “If the Auto Update feature cannot be disabled, disabling the Enable Scripting configuration setting would reduce the attack surface.”

Other positives include the fact that the Android and iOS versions of AnyConnect are not affected and that any exploit requires an active AnyConnect session to be taking place, limiting attack opportunities.

The AnyConnect vulnerability is not the only security issue affecting Cisco products at the moment. A host of other bugs, affecting identity services, emails and Webex, are also being investigated.

Via BleepingComputer