Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
3

CVE-2023-20178

Disclosure Date: June 07, 2023
CVE-2023-20178 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established.

This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

Add Assessment

3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Easy to weaponizeGives privileged access
Technical Analysis

A security flaw has been discovered in the client update procedure of both Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. This vulnerability could potentially enable a local attacker with low privileges and authenticated access to elevate their privileges to the level of SYSTEM. The client update process is triggered upon the establishment of a successful VPN connection.

When a user connects to the VPN, a background process called vpndownloader.exe is initiated. This process creates a directory in the c:\windows\temp location with default permissions, following the format <random numbers>.tmp. Subsequently, vpndownloader.exe checks if the directory is empty, and if not, it proceeds to delete all files and directories within it. This particular behavior can be exploited to carry out arbitrary file deletions under the NT Authority\SYSTEM account.

The vulnerability stems from the improper assignment of permissions to a temporary directory generated during the update process. An attacker can take advantage of a specific function within the Windows installer process to exploit this vulnerability. If successfully exploited, the attacker could execute code with SYSTEM privileges.

To mitigate this vulnerability, Cisco has released software updates that specifically address the issue. Unfortunately, there are no workarounds available to rectify the vulnerability apart from applying the provided software updates.

A Proof of Concept (PoC) has been released and can be found in the reference links.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Cisco Secure Client 4.9.00086
Cisco Secure Client 4.9.01095
Cisco Secure Client 4.9.02028
Cisco Secure Client 4.9.03047
Cisco Secure Client 4.9.03049
Cisco Secure Client 4.9.04043
Cisco Secure Client 4.9.04053
Cisco Secure Client 4.9.05042
Cisco Secure Client 4.9.06037
Cisco Secure Client 4.10.00093
Cisco Secure Client 4.10.01075
Cisco Secure Client 4.10.02086
Cisco Secure Client 4.10.03104
Cisco Secure Client 4.10.04065
Cisco Secure Client 4.10.04071
Cisco Secure Client 4.10.05085
Cisco Secure Client 4.10.05095
Cisco Secure Client 4.10.05111
Cisco Secure Client 4.10.06079
Cisco Secure Client 4.10.06090
Cisco Secure Client 5.0.00238
Cisco Secure Client 5.0.00529
Cisco Secure Client 5.0.00556
Cisco Secure Client 5.0.01242
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • cisco

Products

  • anyconnect secure mobility client,
  • secure client

References

Canonical
CVE-2023-20178 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20178)
Advisory
Cisco Advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw)
Exploit
The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
PoC (https://github.com/Wh04m1001/CVE-2023-20178)

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis