Cisco has discovered and fixed serious flaws in its Secure Client.

Hier ist der Text:

Cisco has released security updates that address two high-level vulnerabilities in Secure Client. The vulnerabilities could lead to code execution and unauthorized remote access to VPN sessions. The vulnerabilities are being tracked as CVE-2024-20337 and CVE-2024-20338, respectively.

Cisco Secure Client is a security tool developed by Cisco that provides Virtual Private Network (VPN) access and Zero Trust Network Access (ZTNA) support, as well as security and monitoring capabilities.

Vulnerability CVE-2024-20337 (CVSS score 8.2)

The vulnerability is in the SAML authentication process in Cisco Secure Client. An unauthenticated remote attacker could exploit the vulnerability to perform a carriage return character insertion/line feed (CRLF) attack against the user. The vulnerability is caused by insufficient validation of user-provided input. An attacker could activate this vulnerability by convincing the user to click on a prepared link during the installation of a VPN session. The warning states, "Successful exploitation could allow an attacker to execute arbitrary script code in the browser or access sensitive browser-related information, including a valid SAML token.

The attacker could then use the token to establish remote access to the VPN session with the privileges of the affected user. Additional credentials for individual hosts and services behind the VPN endpoint would still be required for successful access." The vulnerability affects the following Cisco products if a vulnerable version of the product is used and the VPN endpoint is configured using the SAML External Browser feature: Secure Client for Linux, Secure Client for macOS, and Secure Client for Windows.

Vulnerability CVE-2024-20338 (CVSS score 7.3)

The vulnerability is in the ISE Posture (System Scan) module of Cisco Secure Client for Linux. An authenticated local attacker could exploit the vulnerability to escalate privileges on the affected device. The warning states, "The vulnerability is caused by the use of an unpatched pathfinding element. An attacker could exploit the vulnerability by copying a malicious library to a specific directory on a file system and convincing an administrator to restart a specific process." “Successful exploitation could allow an attacker to execute arbitrary code on an infected device with root privileges.” This vulnerability affects Cisco devices running a vulnerable version of Cisco Secure Client for Linux with the ISE Posture module installed.

Both vulnerabilities were discovered by Paulos Yibelo Mesfin of Amazon Security. No real attacks exploiting the above vulnerabilities are known yet.