Attacker Value

Moderate

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2023-20178

Disclosure Date: June 07, 2023 •

CVE-2023-20178 CVSS v3 Base Score: 7.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established.

This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

Add Assessment

cbeek-r7 (181)

June 21, 2023 7:25am UTC (1 year ago)•Edited 1 year ago

Ratings

Attacker Value

Medium

Exploitability

Very High

Easy to weaponize Gives privileged access

Technical Analysis

A security flaw has been discovered in the client update procedure of both Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. This vulnerability could potentially enable a local attacker with low privileges and authenticated access to elevate their privileges to the level of SYSTEM. The client update process is triggered upon the establishment of a successful VPN connection.

When a user connects to the VPN, a background process called vpndownloader.exe is initiated. This process creates a directory in the c:\windows\temp location with default permissions, following the format <random numbers>.tmp. Subsequently, vpndownloader.exe checks if the directory is empty, and if not, it proceeds to delete all files and directories within it. This particular behavior can be exploited to carry out arbitrary file deletions under the NT Authority\SYSTEM account.

The vulnerability stems from the improper assignment of permissions to a temporary directory generated during the update process. An attacker can take advantage of a specific function within the Windows installer process to exploit this vulnerability. If successfully exploited, the attacker could execute code with SYSTEM privileges.

To mitigate this vulnerability, Cisco has released software updates that specifically address the issue. Unfortunately, there are no workarounds available to rectify the vulnerability apart from applying the provided software updates.

A Proof of Concept (PoC) has been released and can be found in the reference links.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

cisco

Products

anyconnect secure mobility client,
secure client

References

Rapid7

Moderate

CVE-2023-20178

Moderate

Very High

None

Low

Local

CVE-2023-20178

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Exploit

Additional Info

Technical Analysis

Moderate

CVE-2023-20178

Moderate

Very High

None

Low

Local

CVE-2023-20178

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Exploit

Additional Info

Technical Analysis

Quick Cookie Notification