Cisco reveals major AnyConnect VPN security flaw

(Image credit: Shutterstock.com)

Cisco has revealed a zero-day vulnerability affecting its AnyConnect Secure Mobility Client software that has a proof-of-concept exploit code publicly available online.

The vulnerability, tracked as CVE-2020-3556, could allow a threat actor to run malicious code through a victim’s device. The flaw affects all client versions of AnyConnect operating across Windows, Linux and Mac operating systems.

According to Cisco’s internal security team, however, the security bug has not yet been exploited in the wild, and the good news is that devices running versions of AnyConnect with default configurations are not at risk. This particular security flaw requires both the Auto Update setting and the Enable Scripting settings to be enabled. By default, Enable Scripting is disabled.

We've put together a list of the best business VPNs around
Protect your business with the best antivirus tools
We've also highlighted the best endpoint protection software

Mitigation strategies

Cisco has pledged to release a free software update to address this vulnerability, although no timescale has been provided. There are currently no workarounds that address the bug, but mitigation options are available to users.

“A mitigation for this vulnerability is to disable the Auto Update feature. Additional details can be found in the Disabling AnyConnect Auto Update section of the Cisco AnyConnect Secure Mobility Client Administrator Guide,” the Cisco Security Advisory explained. “If the Auto Update feature cannot be disabled, disabling the Enable Scripting configuration setting would reduce the attack surface.”

Other positives include the fact that the Android and iOS versions of AnyConnect are not affected and that any exploit requires an active AnyConnect session to be taking place, limiting attack opportunities.

The AnyConnect vulnerability is not the only security issue affecting Cisco products at the moment. A host of other bugs, affecting identity services, emails and Webex, are also being investigated.

Also check out our list of the best malware removal tools on the market

Via BleepingComputer

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services. After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.