Advisory No: TZCERT/SA/2020/11/11
Date of First Release: 11th November 2020
Software Affected: AnyConnect Secure Mobility Client for Linux, Windows and macOS
This vulnerability exists in the interprocess communication (IPC) channel of the Cisco AnyConnect Secure Mobility Client Software that could allow an authenticated user to execute code through AnyConnect user.
The vulnerability is caused by a lack of authentication to AnyConnect client IP listener, that could allow an attacker with specially crafted IPC messages to execute malicious scripts. The exploitation of this vulnerability requires an attacker to have valid credentials on the system running AnyConnect client.
This vulnerability affects all versions of the software that have a configuration Bypass Downloader set to its default value of false. If Bypass Downloader is set to true, the Bypass downloader will be enabled, and the device will not be affected by this vulnerability.
Successful exploitation of the vulnerability could allow an adversary to execute codes on the affected system.
Cisco has not issued any workarounds or patches that address this vulnerability. However, users and administrators are advised to verify the Bypass Downloader configuration on a VPN client system and change the value to true.
To change Bypass Downloader configuration, perform the following:
- Locate the AnyConnectLocalPolicy.xml file on the client machine. The file can be found at this location:
- Windows: <DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
- Linux: /opt/cisco/anyconnect/
- macOS: /opt/cisco/anyconnect/
- Open the file in any text editor and change the setting to true, as shown below:
- Default value: <BypassDownloader>false</BypassDownloader>
- Change value to: <BypassDownloader>true</BypassDownloader>
- Save the file and restart the computer.