A patch for a high severity vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software is now available and deploying the patch is strongly encouraged. Action is required by our customers to deploy this patch.
As with any update, please use your change management process to ensure your users have the least disruption possible.
What could happen if the vulnerability is not fixed?
If exploited, the vulnerability could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.
An executed script could:
- Install ransomware or other malware
- Steal or destroy data on the local machine
- Prompt denial of service
- Brick the entire operating system of the impacted machine
To successfully exploit this vulnerability, an attacker would need all of the following:
- Valid user credentials on the system on which the AnyConnect client is being run by the targeted user
- To be able to log in to that system while the targeted user either has an active AnyConnect session established or establishes a new AnyConnect session
- To be able to execute code on that system
What is the cause of the vulnerability?
The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener.
What version of AnyConnect includes the patch?
The first fixed release of software available is AnyConnect version 4.10.00093.
How to fix the vulnerability
This software needs to be installed on user machines that require AnyConnect to VPN into their corporate environment. Because the installation of software typically requires administrator privileges on the local machine, customers must install this themselves.
Some customers disseminate software patches and installation through Microsoft System Center Configuration Manager. They need to upload the software to their SCCM server, and then push the installation of the software out to the end-user machines that require it.
If you are in need of assistance in obtaining the fixed version of the software or testing and implementing it, feel free to contact tbl's support desk, and we would be happy to assist however we are able.
When should You Fix the Vulnerability?
Please migrate your AnyConnect software version 4.10.00093 as soon as you are able.