-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.3822.3
          Cisco AnyConnect Secure Mobility Client Vulnerabilities
                             10 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco AnyConnect Secure Mobility Client
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Read-only Data Access           -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-27123 CVE-2020-3556 

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-file-read-LsvDD6Uh

Comment: This bulletin contains two (2) Cisco Systems security advisories.

Revision History:  November 10 2020: Vendor updated mitigation information for advisory: cisco-sa-anyconnect-ipc-KfQO9QhK
                   November  6 2020: Vendor significantly updated advisory:  cisco-sa-anyconnect-ipc-KfQO9QhK
                   November  5 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability

Priority:        High

Advisory ID:     cisco-sa-anyconnect-ipc-KfQO9QhK

First Published: 2020 November 4 16:00 GMT

Last Updated:    2020 November 9 21:50 GMT

Version 2.1:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvv30103

CVE-2020-3556    

CWE-20

Summary

  o A vulnerability in the interprocess communication (IPC) channel of Cisco
    AnyConnect Secure Mobility Client Software could allow an authenticated,
    local attacker to cause a targeted AnyConnect user to execute a malicious
    script.

    The vulnerability is due to a lack of authentication to the IPC listener.
    An attacker could exploit this vulnerability by sending crafted IPC
    messages to the AnyConnect client IPC listener. A successful exploit could
    allow an attacker to cause the targeted AnyConnect user to execute a
    script. This script would execute with the privileges of the targeted
    AnyConnect user.

    Note: To successfully exploit this vulnerability, an attacker would need
    all of the following:

       Valid user credentials on the system on which the AnyConnect client is
        being run by the targeted user.
       To be able to log in to that system while the targeted user either has
        an active AnyConnect session established or establishes a new
        AnyConnect session.
       To be able to execute code on that system.

    Cisco has not released software updates that address this vulnerability.
    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-anyconnect-ipc-KfQO9QhK

Affected Products

  o Vulnerable Products

    This vulnerability affects all versions of the Cisco AnyConnect Secure
    Mobility Client Software for the following platforms if they have Bypass
    Downloader set to its default value of false :

       AnyConnect Secure Mobility Client for Linux
       AnyConnect Secure Mobility Client for MacOS
       AnyConnect Secure Mobility Client for Windows

    To verify the Bypass Downloader configuration on a VPN client system, open
    the AnyConnectLocalPolicy.xml file and look for the following line:

        <BypassDownloader>false</BypassDownloader>

    If Bypass Downloader is set to false, as in the preceding example, Bypass
    Downloader is disabled and the device is affected by this vulnerability. If
    Bypass Downloader is set to true , Bypass Downloader is enabled and the
    device is not affected by this vulnerability.

    Note: The AnyConnectLocalPolicy.xml file can be found at the following
    location:

       Linux: /opt/cisco/anyconnect/
       macOS: /opt/cisco/anyconnect/
       Windows: <DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure
        Mobility Client\

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    This vulnerability does not affect Cisco AnyConnect Secure Mobility Client
    for the Apple iOS and Android platforms.

Workarounds

  o There are no workarounds that address this vulnerability.

    Customers who do not require updated content on the VPN head-end device to
    be downloaded to the client can enable the Bypass Downloader setting.

    Warning: Changing the BypassDownloader setting is not recommended in most
    customer environments. If the BypassDownloader is set to true, VPN users
    could be refused a connection from the VPN headend if their local VPN XML
    profiles are out of date with what is configured on the VPN headend.

    Note: Enabling the Bypass Downloader setting can be done only out-of-band
    on the client devices and has a couple of implications:

       All future updates to either Cisco AnyConnect Secure Mobility Client
        Software or the AnyConnect profile would have to be done out-of-band.
        AnyConnect will no longer download updated content from the head-end
        device.
       AnyConnect profiles would still need to be in sync between the head-end
        device and the client. If the profiles are not in sync, the VPN
        connection could be established with default settings instead of with
        settings on the headend or client. The VPN headend could also refuse
        the connection.

    The procedure that follows is for editing the policy on a local machine. In
    most deployment scenarios, the modification would be done to the
    AnyConnectLocalPolicy.xml file and then deployed to all client machines via
    an enterprise software management system. Any modifications to the
    AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.

    To enable the Bypass Downloader setting, do the following:

     1. Find the AnyConnectLocalPolicy.xml file on the client machine. This
        file can be found at the following location:
           
               Linux: /opt/cisco/anyconnect/
               macOS: /opt/cisco/anyconnect/
               Windows: <DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect
                Secure Mobility Client\
     2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for
        the following line:
         1. <BypassDownloader>false</BypassDownloader>

     3. Change that setting to true , as shown in the following example:
         1. <BypassDownloader>true</BypassDownloader>

     4. Save the file to the original location.
     5. Restart the VPN Agent service or reboot the client machine.

Fixed Software

  o Cisco will release free software updates that will address the
    vulnerability described in this advisory. Customers may only install and
    expect support for software versions and feature sets for which they have
    purchased a license. By installing, downloading, accessing, or otherwise
    using such software upgrades, customers agree to follow the terms of the
    Cisco software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Cisco has not released software updates that address this vulnerability.
    Cisco plans to fix this vulnerability in a future release of Cisco
    AnyConnect Secure Mobility Client Software.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is aware that
    proof-of-concept exploit code is available for the vulnerability described
    in this advisory.

    The Cisco PSIRT is not aware of any malicious use of the vulnerability that
    is described in this advisory.

Source

  o Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking
    Lab (TU Darmstadt) for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-anyconnect-ipc-KfQO9QhK

Revision History

  o +---------+--------------------------+-------------+--------+-------------+
    | Version |       Description        |   Section   | Status |    Date     |
    +---------+--------------------------+-------------+--------+-------------+
    | 2.1     | Clarified mitigation     | Workarounds | Final  | 2020-NOV-09 |
    |         | information.             |             |        |             |
    +---------+--------------------------+-------------+--------+-------------+
    |         | Clarified the            |             |        |             |
    |         | requirements for a       | Summary,    |        |             |
    |         | successful attack.       | Vulnerable  |        |             |
    | 2.0     | Corrected information    | Products,   | Final  | 2020-NOV-05 |
    |         | about vulnerable         | Workarounds |        |             |
    |         | configurations and       |             |        |             |
    |         | mitigations.             |             |        |             |
    +---------+--------------------------+-------------+--------+-------------+
    | 1.0     | Initial public release.  | -           | Final  | 2020-NOV-04 |
    +---------+--------------------------+-------------+--------+-------------+


- --------------------------------------------------------------------------------


Cisco AnyConnect Secure Mobility Client for Windows Arbitrary File Read
Vulnerability

Priority:        Medium

Advisory ID:     cisco-sa-anyconnect-file-read-LsvDD6Uh

First Published: 2020 November 4 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvv66094

CVE-2020-27123   

CWE-749

Summary

  o A vulnerability in the interprocess communication (IPC) channel of Cisco
    AnyConnect Secure Mobility Client for Windows could allow an authenticated,
    local attacker to read arbitrary files on the underlying operating system
    of an affected device.

    The vulnerability is due to an exposed IPC function. An attacker could
    exploit this vulnerability by sending a crafted IPC message to the
    AnyConnect process on an affected device. A successful exploit could allow
    the attacker to read arbitrary files on the underlying operating system of
    the affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-anyconnect-file-read-LsvDD6Uh

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco AnyConnect
    Secure Mobility Client for Windows releases earlier than Release 4.9.03047.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, Cisco AnyConnect Secure Mobility Client for
    Windows releases 4.9.03047 and later contained the fix for this
    vulnerability.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o Cisco would like to thank Antoine Goichot of PwC Luxembourg's Cybersecurity
    team for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-anyconnect-file-read-LsvDD6Uh

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2020-NOV-04  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX6og4eNLKJtyKPYoAQh1pA/+PfK3B/JPJEY73mr9csDy/dceXqAgR8b0
ZEF+QEiF/0PIW4TrIx55S+UDZjUzKyB/UwLjDmB9zGwpLt177KryQ+N6IyKdBpVa
GpwgcnmVazO5gOTujd64oQv23cFiRRC6NVB/S58sZm+Qtu69pyU0AzcP1YwMNPtr
MV2hmc7q42Y1+eehX6Woh0Ym3Kq0H3m0n1WDnF3yYUF6Rs7hjvk4YzqqN3pHqK6p
68Kmoy1jSnLRNrvjhsRfmGqK6F3XEBlFkhxNQxG/up5jiHSWdodm+6dXSoUvRsAr
5M18qZNAPElJqJw9n+mm4oPa68JKWUaSg9mMpbyNkNIQwgwOQ//hEwbbfc0ne/ds
jB0WtJFcFdootdWKTVSCMVYCJEytU8LV8E9lMUSsIGJXtJuxquqCrH0m06WyF7WX
4Bu/9XwpfzQzLqn8KebTY2LS8pSFy2at/602xDnUWI9e/yFj4pjJeERz2FUYqfdn
eD8mDdPu7w1+RKsdTfYN9kSiR7EMrEX8k0JxXPpQQDZPfQa2jXw0ssosRhAp3Kcd
G2R7OWiRdhe5pSJPnxDo7nDI1U4DMJQOhzLNYENA8DtCEEFiTO0LTvjIYhmFAvlK
vvwyuwxTv+dwNXwRyhTysnRrD0TTsNRDJkFANBlC6XJ8cmv3FqVkXg2XHO+Lpy96
oEqAYBhB+To=
=FQC6
-----END PGP SIGNATURE-----