Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
3

CVE-2023-20178

Disclosure Date: June 07, 2023
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established.

This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

Add Assessment

3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

A security flaw has been discovered in the client update procedure of both Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. This vulnerability could potentially enable a local attacker with low privileges and authenticated access to elevate their privileges to the level of SYSTEM. The client update process is triggered upon the establishment of a successful VPN connection.

When a user connects to the VPN, a background process called vpndownloader.exe is initiated. This process creates a directory in the c:\windows\temp location with default permissions, following the format <random numbers>.tmp. Subsequently, vpndownloader.exe checks if the directory is empty, and if not, it proceeds to delete all files and directories within it. This particular behavior can be exploited to carry out arbitrary file deletions under the NT Authority\SYSTEM account.

The vulnerability stems from the improper assignment of permissions to a temporary directory generated during the update process. An attacker can take advantage of a specific function within the Windows installer process to exploit this vulnerability. If successfully exploited, the attacker could execute code with SYSTEM privileges.

To mitigate this vulnerability, Cisco has released software updates that specifically address the issue. Unfortunately, there are no workarounds available to rectify the vulnerability apart from applying the provided software updates.

A Proof of Concept (PoC) has been released and can be found in the reference links.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • cisco

Products

  • anyconnect secure mobility client,
  • secure client

Additional Info

Technical Analysis