Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3822.5
Cisco AnyConnect Secure Mobility Client Vulnerabilities
24 May 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco AnyConnect Secure Mobility Client
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Read-only Data Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-27123 CVE-2020-3556
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-file-read-LsvDD6Uh
Revision History: May 24 2021: vendor updated BypassDownloader tagging examples for advisory:cisco-sa-anyconnect-ipc-KfQO9QhK
December 7 2020: vendor updated cisco-sa-anyconnect-ipc-KfQO9QhK
November 10 2020: Vendor updated mitigation information for advisory: cisco-sa-anyconnect-ipc-KfQO9QhK
November 6 2020: Vendor significantly updated advisory: cisco-sa-anyconnect-ipc-KfQO9QhK
November 5 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability
Priority: High
Advisory ID: cisco-sa-anyconnect-ipc-KfQO9QhK
First Published: 2020 November 4 16:00 GMT
Last Updated: 2021 May 21 18:06 GMT
Version 4.1: Final
Workarounds: Yes
Cisco Bug IDs: CSCvv30103
CVE Names: CVE-2020-3556
CWEs: CWE-20
Summary
o A vulnerability in the interprocess communication (IPC) channel of Cisco
AnyConnect Secure Mobility Client Software could allow an authenticated,
local attacker to cause a targeted AnyConnect user to execute a malicious
script.
The vulnerability is due to a lack of authentication to the IPC listener.
An attacker could exploit this vulnerability by sending crafted IPC
messages to the AnyConnect client IPC listener. A successful exploit could
allow an attacker to cause the targeted AnyConnect user to execute a
script. This script would execute with the privileges of the targeted
AnyConnect user.
Note: To successfully exploit this vulnerability, an attacker would need
all of the following:
Valid user credentials on the system on which the AnyConnect client is
being run by the targeted user.
To be able to log in to that system while the targeted user either has
an active AnyConnect session established or establishes a new
AnyConnect session.
To be able to execute code on that system.
Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK
Affected Products
o Vulnerable Products
This vulnerability affects all releases of Cisco AnyConnect Secure Mobility
Client Software earlier than Release 4.10.00093 for the following platforms
if they have a vulnerable configuration:
AnyConnect Secure Mobility Client for Windows
AnyConnect Secure Mobility Client for MacOS
AnyConnect Secure Mobility Client for Linux
The following subsections describe how to determine vulnerability for
specific releases of Cisco AnyConnect Secure Mobility Client Software. The
release of Cisco AnyConnect Secure Mobility Client Software that is running
on the end machine determines which configurations the user must check.
The configuration settings discussed in the following subsections are in
the AnyConnectLocalPolicy.xml file. This file is in the following
locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure
Mobility Client\
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053,
4.9.05042, and 4.9.06037
The vulnerability described in this advisory affects Cisco AnyConnect
Secure Mobility Client Software releases 4.9.04053, 4.9.05042, and
4.9.06037 if RestrictScriptWebDeploy is set to the default value of false .
To verify the RestrictScriptWebDeploy configuration setting on a VPN client
system, open the AnyConnectLocalPolicy.xml file and look for the following
line:
<RestrictScriptWebDeploy>false</RestrictScriptWebDeploy>
If RestrictScriptWebDeploy is set to false, RestrictScriptWebDeploy is
disabled and the device is affected by this vulnerability. If
RestrictScriptWebDeploy is set to true , RestrictScriptWebDeploy is enabled
and the device is not affected by this vulnerability.
See the Workarounds section for additional optional but recommended
settings.
Cisco AnyConnect Secure Mobility Client Software Releases Earlier than
Release 4.9.04053
The vulnerability described in this advisory affects all releases of Cisco
AnyConnect Secure Mobility Client Software earlier than Release 4.9.04053
if BypassDownloader is set to the default value of false.
To verify the BypassDownloader configuration setting on a VPN client
system, open the AnyConnectLocalPolicy.xml file and look for the following
line:
<BypassDownloader>false</BypassDownloader>
If BypassDownloader is set to false , BypassDownloader is disabled and the
device is affected by this vulnerability. If BypassDownloader is set to
true, BypassDownloader is enabled and the device is not affected by this
vulnerability.
Note: Setting BypassDownloader to true is not a recommended configuration.
See the Workarounds section for more details.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
This vulnerability does not affect Cisco AnyConnect Secure Mobility Client
for Apple iOS or Android platforms or for the Universal Windows Platform.
Details
o Details about the vulnerability are as follows.
This vulnerability is not exploitable on laptops used by a single user,
but instead requires valid logins for multiple users on the end-user
device.
This vulnerability is not remotely exploitable, as it requires local
credentials on the end-user device for the attacker to take action on
the local system.
This vulnerability is not a privilege elevation exploit. The scripts
run at the user level by default. If the local AnyConnect user manually
raises the privilege of the User Interface process, the scripts would
run at elevated privileges.
This vulnerability's CVSS score is high because, for configurations
where the vulnerability is exploitable, it allows one user access to
another user's data and execution space.
Workarounds
o Workarounds that address this vulnerability were introduced in Cisco bug ID
CSCvw48062 via new configuration settings. The new settings are available
in releases 4.9.04053 and later. Cisco recommends using additional settings
that were introduced in Release 4.10.00093 instead of using the settings
introduced in 4.9.04053.
The settings introduced in 4.10.00093 allow connections to trusted headends
only, without any functionality loss. Additional information about the new
settings is in the Recommendations section of this advisory.
Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093
Releases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103
with no additional configuration required. See the Recommendations section
for additional optional but recommended settings.
Upgrade instructions for systems where workarounds were previously applied
This section is relevant only to customers that had previously applied the
workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or
mitigation settings for releases earlier than Release 4.9.04053. If the
workarounds or mitigations listed on this advisory were not previously
used, use the normal upgrade process. More information about the normal
upgrade process is in the Release Notes or Configuration Guide .
The following instructions describe how to upgrade to Release 4.10.00093
and remove the previously applied settings in the AnyConnectLocalPolicy.xml
file. This file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure
Mobility Client\
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
AnyConnect AnyConnectLocalPolicy.xml Instructions
Secure Settings
Mobility
Client
Software
Release
Earlier Previously deployed 1. Upgrade to 4.10 using a
than AnyConnectLocalPolicy.xml predeploy method.
4.9.04053 settings: 2. Redistribute the
AnyConnectLocalPolicy.xml
o BypassDownloader= true file with new settings
using an out-of-band
New AnyConnectLocalPolicy.xml deployment method.
settings: 3. Apply the new 4.10
settings shown in the
o BypassDownloader=false Recommendations section.
4.9.04053, Previously deployed 1. Upgrade to 4.10 using
4.9.05042, AnyConnectLocalPolicy.xml either a predeploy or
4.9.06037 settings: webdeploy method.
2. Redistribute ^1 the
o RestrictScriptWebDeploy=true AnyConnectLocalPolicy.xml
o RestrictHelpWebDeploy=true file with new settings
o RestrictResourceWebDeploy= using an out-of-band
true deployment method.
o RestrictLocalizationWebDeploy 3. Apply the new 4.10
=true settings shown in the
o BypassDownloader=false Recommendations section.
New AnyConnectLocalPolicy.xml
settings:
o RestrictScriptWebDeploy=false
o RestrictHelpWebDeploy=false
o RestrictResourceWebDeploy=
false
o RestrictLocalizationWebDeploy
=false
o BypassDownloader=false
1. Customers may leave the settings intact for RestrictScriptWebDeploy,
RestrictHelpWebDeploy, RestrictResourceWebDeploy, and
RestrictLocalizationWebDeploy if the restricted functionality is not
required. If these settings remain true , files must be distributed using
an out-of-band deployment method.
Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053,
4.9.05042, and 4.9.06037
For customers who have already applied the RestrictScriptWebDeploy
workaround
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have
already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy,
RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds,
nothing further needs to be done to help ensure protection against
exploitation of this vulnerability.
To restore full functionality to the product, customers should upgrade to
Release 4.10.00093 and apply the recommended settings shown in the
Recommendations section. After full functionality is restored, customers
can once again deploy files from the headend instead of using an
out-of-band deployment method.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot
upgrade to Release 4.10.00093 or later, the recommended workaround for
these releases is to edit the AnyConnectLocalPolicy.xml file to set
RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to
false . The new AnyConnectLocalPolicy.xml file would then be deployed to
end machines using an out-of-band method of deployment.
There are additional configuration settings for releases 4.9.04053,
4.9.05042, and 4.9.06037 that are strongly recommended for increased
protection. The full set of custom web-deploy restrictions is listed below.
For more details about the new configuration settings and implications of
their use, refer to the Release Notes or Cisco bug ID CSCvw48062 . These
settings would allow profile updates and future software upgrades while
helping to protect against exploitation of this vulnerability.
RestrictScriptWebDeploy
RestrictHelpWebDeploy
RestrictResourceWebDeploy
RestrictLocalizationWebDeploy
The following procedure is for editing the policy on a local machine. In
most deployment scenarios, the modification would be done to the
AnyConnectLocalPolicy.xml file and then deployed to all client machines
using an out-of-band method of deployment such as an enterprise software
management system. Any modifications to the AnyConnectLocalPolicy.xml file
must be done with sudo or admin rights.
1. Find the AnyConnectLocalPolicy.xml file on the client machine. This
file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure
Mobility Client\
macOS:/opt/cisco/anyconnect/
Linux:/opt/cisco/anyconnect/
2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for
the following lines:
<RestrictScriptWebDeploy>false</RestrictScriptWebDeploy>
<RestrictHelpWebDeploy>false</RestrictHelpWebDeploy>
<RestrictResourceWebDeploy>false</RestrictResourceWebDeploy>
<RestrictLocalizationWebDeploy>false</RestrictLocalizationWebDeploy>
3. Change that setting to true , as shown in the following example:
<RestrictScriptWebDeploy>true</RestrictScriptWebDeploy>
<RestrictHelpWebDeploy>true</RestrictHelpWebDeploy>
<RestrictResourceWebDeploy>true</RestrictResourceWebDeploy>
<RestrictLocalizationWebDeploy>true</RestrictLocalizationWebDeploy>
4. Verify that the BypassDownloader setting is correct by looking for the
following line:
<BypassDownloader>false</BypassDownloader>
5. If the BypassDownloader setting is true , change it to false , as shown
in the following example:
<BypassDownloader>false</BypassDownloader>
6. Save the file to the original location. The network paths are noted
above.
7. Restart the VPN Agent service or reboot the client machine.
Cisco AnyConnect Secure Mobility Client Software Earlier than Release
4.9.04053
For customers who have already applied the BypassDownloader mitigation
For customers using releases earlier than Release 4.9.04053 who have
already applied the BypassDownloader mitigation, nothing further needs to
be done to enable protection against exploitation of this vulnerability.
Because this mitigation is not recommended , customers could upgrade to
Release 4.10.00093 and apply the recommended settings shown in the
Recommendations section.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using releases earlier than Release 4.9.04053 who cannot
upgrade to Release 4.10.00093 or later and/or do not require updated
content on the VPN headend device to be downloaded to the client, enabling
the BypassDownloader setting is a possible mitigation.
Warning: Changing the BypassDownloader setting is not recommended in most
customer environments. If the BypassDownloader is set to true , VPN users
could be refused a connection from the VPN headend if their local VPN XML
profiles are out of date with what is configured on the VPN headend.
Note: Enabling the BypassDownloader setting can be done only out-of-band on
the client devices and has a couple of implications:
All future updates to either Cisco AnyConnect Secure Mobility Client
Software or the AnyConnect profile would have to be done out-of-band.
AnyConnect will no longer download updated content from the headend
device.
AnyConnect profiles would still need to be in sync between the headend
device and the client. If the profiles are not in sync, the VPN
connection could be established with default settings instead of with
settings on the headend or client. The VPN headend could also refuse
the connection.
The procedure that follows is for editing the policy on a local machine. In
most deployment scenarios, the modification would be done to the
AnyConnectLocalPolicy.xml file and then deployed to all client machines
using an out-of-band method of deployment such as an enterprise software
management system. Any modifications to the AnyConnectLocalPolicy.xml file
must be done with sudo or admin rights.
1. Find the AnyConnectLocalPolicy.xml file on the client machine. This
file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure
Mobility Client\
macOS:/opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/
2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for
the following line:
<BypassDownloader>false</BypassDownloader>
3. Change that setting to true , as shown in the following example:
<BypassDownloader>true</BypassDownloader>
4. Save the file to the original location. The network paths are noted
above.
5. Restart the VPN Agent service or reboot the client machine.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco fixed this vulnerability in Cisco AnyConnect Secure Mobility Client
Software releases 4.10.00093 and later.
Recommendations
o Cisco AnyConnect Secure Mobility Client Software 4.10.00093 introduced new
settings. It is now possible to individually allow/disallow scripts, help,
resources, or localization updates in the local policy. These new settings
are strongly recommended for increased protection. The full set of
restrictions is listed below. For more details about the new configuration
settings and implications of their use, refer to the AnyConnect Local
Policy section of the administrator guide.
Configuration Setting Name Default Recommended
Value Configuration Setting
Value
StrictCertificateTrust False True
RestrictServerCertStore False True
AllowSoftwareUpdatesFromAnyServer True False
AllowComplianceUpdatesModuleFromAnyServer True False
AllowManagementVPNProfileUpdatesFromAnyServer True False
AllowISEPostureProfileUpdatesFromAnyServer True False
AllowServiceProfileUpdatesFromAnyServer True False
AllowScriptUpdatesFromAnyServer True False
AllowScriptUpdatesFromAnyServer True False
AllowHelpUpdatesFromAnyServer True False
AllowResourceUpdatesFromAnyServer True False
AllowLocalizationUpdatesFromAnyServer True False
List of authorized
servers.
ServerName Blank Can use wildcards,
for example
*.cisco.com
BypassDownloader is not a new setting, but ensure that it is set to false.
Configuration Setting Default Recommended Configuration Setting
Name Value Value
BypassDownloader False False
To configure the recommended settings on Release 4.10.00093 and later, edit
the AnyConnectLocalPolicy.xml file to change configuration values to the
recommended values listed in the preceding table. The new
AnyConnectLocalPolicy.xml file would then be deployed to end machines.
The following procedure is for editing the policy on a local machine. In
most deployment scenarios, the modification would be done to the
AnyConnectLocalPolicy.xml file and then deployed to all client machines
using an out-of-band method of deployment such as an enterprise software
management system. Any modifications to the AnyConnectLocalPolicy.xml file
must be done with sudo or admin rights.
1. Find the AnyConnectLocalPolicy.xml file on the client machine. This
file is in the following locations:
Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure
Mobility Client\
macOS:/opt/cisco/anyconnect/
Linux:/opt/cisco/anyconnect/
2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for
the following lines:
<BypassDownloader> false </BypassDownloader>
<StrictCertificateTrust> true </StrictCertificateTrust>
<RestrictServerCertStore> true </RestrictServerCertStore>
<AllowSoftwareUpdatesFromAnyServer> false </
AllowSoftwareUpdatesFromAnyServer>
<AllowComplianceUpdatesModuleFromAnyServer> false </
AllowComplianceUpdatesModuleFromAnyServer>
<AllowManagementVPNProfileUpdatesFromAnyServer> false </
AllowManagementVPNProfileUpdatesFromAnyServer>
<AllowISEPostureProfileUpdatesFromAnyServer> false </
AllowISEPostureProfileUpdatesFromAnyServer>
<AllowServiceProfileUpdatesFromAnyServer> false </
AllowServiceProfileUpdatesFromAnyServer>
<AllowScriptUpdatesFromAnyServer> false </
AllowScriptUpdatesFromAnyServer>
<AllowHelpUpdatesFromAnyServer> false </AllowHelpUpdatesFromAnyServer>
<AllowResourceUpdatesFromAnyServer> false </
AllowResourceUpdatesFromAnyServer>
<AllowLocalizationUpdatesFromAnyServer> false </
AllowLocalizationUpdatesFromAnyServer>
3. If the configuration setting values do not match the values shown
above, change them.
4. Add authorized server names to the configuration file:
<ServerName> *.example.com </ServerName>
5. Save the file to the original location. The network paths are noted
above.
6. Restart the VPN Agent service or reboot the client machine.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is aware that
proof-of-concept exploit code is available for the vulnerability described
in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerability that
is described in this advisory.
Source
o Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking
Lab (TU Darmstadt) for reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK
Revision History
o +---------+--------------------+-------------------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+--------------------+-------------------+--------+-------------+
| | Updated the | | | |
| | BypassDownloader | | | |
| 4.1 | tagging examples | Workarounds, | Final | 2021-MAY-21 |
| | to include the | Recommendations | | |
| | closing "/" in | | | |
| | three instances. | | | |
+---------+--------------------+-------------------+--------+-------------+
| | | Summary, | | |
| | Added fixed | Vulnerable | | |
| | release | Products, | | |
| | information. Added | Products | | |
| 4.0 | Universal Windows | Confirmed Not | Final | 2021-MAY-12 |
| | Platform | Vulnerable, | | |
| | information. | Workarounds, | | |
| | | Fixed Releases, | | |
| | | Recommendations | | |
+---------+--------------------+-------------------+--------+-------------+
| | Added information | Summary, | | |
| | about the | Vulnerable | | |
| 3.0 | enhancement | Products, Work | Final | 2020-DEC-04 |
| | CSCvw48062. | Arounds, Fixed | | |
| | | Releases | | |
+---------+--------------------+-------------------+--------+-------------+
| | Added additional | | | |
| | details on the | Details, | | |
| 2.2 | vulnerability. | Workarounds | Final | 2020-NOV-10 |
| | Clarified the | | | |
| | mitigation. | | | |
+---------+--------------------+-------------------+--------+-------------+
| | Clarified | | | |
| 2.1 | mitigation | Workarounds | Final | 2020-NOV-09 |
| | information. | | | |
+---------+--------------------+-------------------+--------+-------------+
| | Clarified the | | | |
| | requirements for a | | | |
| | successful attack. | Summary, | | |
| 2.0 | Corrected | Vulnerable | Final | 2020-NOV-05 |
| | information about | Products, | | |
| | vulnerable | Workarounds | | |
| | configurations and | | | |
| | mitigations. | | | |
+---------+--------------------+-------------------+--------+-------------+
| 1.0 | Initial public | - | Final | 2020-NOV-04 |
| | release. | | | |
+---------+--------------------+-------------------+--------+-------------+
- --------------------------------------------------------------------------------
Cisco AnyConnect Secure Mobility Client for Windows Arbitrary File Read
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-anyconnect-file-read-LsvDD6Uh
First Published: 2020 November 4 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvv66094
CVE-2020-27123
CWE-749
Summary
o A vulnerability in the interprocess communication (IPC) channel of Cisco
AnyConnect Secure Mobility Client for Windows could allow an authenticated,
local attacker to read arbitrary files on the underlying operating system
of an affected device.
The vulnerability is due to an exposed IPC function. An attacker could
exploit this vulnerability by sending a crafted IPC message to the
AnyConnect process on an affected device. A successful exploit could allow
the attacker to read arbitrary files on the underlying operating system of
the affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-anyconnect-file-read-LsvDD6Uh
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco AnyConnect
Secure Mobility Client for Windows releases earlier than Release 4.9.03047.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco AnyConnect Secure Mobility Client for
Windows releases 4.9.03047 and later contained the fix for this
vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank Antoine Goichot of PwC Luxembourg's Cybersecurity
team for reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-anyconnect-file-read-LsvDD6Uh
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-NOV-04 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYKsaeuNLKJtyKPYoAQhFmw//VaeGJL2cMNKMqaZglV7ZdhprIpv3w62l
/hzL9sQv9Dwibba1sUPKC8ptTabjjUGMTCpJFC8kQBd6bjsFdM+J5GCzpYM03OtX
FPBESNOhdw82JOQnMmeT183vL80HFDXSMQACAosuZofb6vgyGxqqGCUIkFYOGA4u
fa6nXEgtNTpIdI3qqTmcDDWrc4Cx2cavyXc01GeacKRxIfDVo1qNVLuTsw5RVFqf
YuLE1V0Oa1gs1oiysCkc/1MjHmeptnShCJrsNKEYliCLPz2QCxMKN6tYeUsFF8fn
guWIhrUJVVrPY1UAtmz6Y7nP9mFVd6YLjPy4fARXTOxkpp3CtpzAWJ4nC6vV0lh3
LH836irjqCmiB70AvkiF/rIdftYlevXZq4u7SnihtRzCjmvMmCnz1keoatTapl95
LQROV7Fb/jJCq+iBNJzDJ3k6ITwVQxitRE1d+OGt8NEbKfdSuq4cufcFJkuz4UjO
O6RsiK+Pg0DkWPyvzNq1xBUvX2KR4sFfE8OeLZLtOasdSKuQC4YWYphLBYjmyacx
3R3hjawJvkwzs5ZnygJVExGL1x51oxYy2S97KqpmFCBmMqAkN00f77VqDTrc2kjl
meMUS9qoMHkDVwbiAQgBw0yr4z6w6NFWTme3ANcga6KJGuFjm6odPYyXccms01+Y
heIOetlsdi8=
=h42B
-----END PGP SIGNATURE-----