A patch for a high severity vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software is now available and deploying the patch is strongly encouraged. Action is required by our customers to deploy this patch.
As with any update, please use your change management process to ensure your users have the least disruption possible.
If exploited, the vulnerability could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.
To successfully exploit this vulnerability, an attacker would need all of the following:
The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener.
The first fixed release of software available is AnyConnect version 4.10.00093.
This software needs to be installed on user machines that require AnyConnect to VPN into their corporate environment. Because the installation of software typically requires administrator privileges on the local machine, customers must install this themselves.
Some customers disseminate software patches and installation through Microsoft System Center Configuration Manager. They need to upload the software to their SCCM server, and then push the installation of the software out to the end-user machines that require it.
If you are in need of assistance in obtaining the fixed version of the software or testing and implementing it, feel free to contact tbl's support desk, and we would be happy to assist however we are able.
Please migrate your AnyConnect software version 4.10.00093 as soon as you are able.