Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3822.5 Cisco AnyConnect Secure Mobility Client Vulnerabilities 24 May 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco AnyConnect Secure Mobility Client Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Read-only Data Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-27123 CVE-2020-3556 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-file-read-LsvDD6Uh Revision History: May 24 2021: vendor updated BypassDownloader tagging examples for advisory:cisco-sa-anyconnect-ipc-KfQO9QhK December 7 2020: vendor updated cisco-sa-anyconnect-ipc-KfQO9QhK November 10 2020: Vendor updated mitigation information for advisory: cisco-sa-anyconnect-ipc-KfQO9QhK November 6 2020: Vendor significantly updated advisory: cisco-sa-anyconnect-ipc-KfQO9QhK November 5 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability Priority: High Advisory ID: cisco-sa-anyconnect-ipc-KfQO9QhK First Published: 2020 November 4 16:00 GMT Last Updated: 2021 May 21 18:06 GMT Version 4.1: Final Workarounds: Yes Cisco Bug IDs: CSCvv30103 CVE Names: CVE-2020-3556 CWEs: CWE-20 Summary o A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user. Note: To successfully exploit this vulnerability, an attacker would need all of the following: Valid user credentials on the system on which the AnyConnect client is being run by the targeted user. To be able to log in to that system while the targeted user either has an active AnyConnect session established or establishes a new AnyConnect session. To be able to execute code on that system. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK Affected Products o Vulnerable Products This vulnerability affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.10.00093 for the following platforms if they have a vulnerable configuration: AnyConnect Secure Mobility Client for Windows AnyConnect Secure Mobility Client for MacOS AnyConnect Secure Mobility Client for Linux The following subsections describe how to determine vulnerability for specific releases of Cisco AnyConnect Secure Mobility Client Software. The release of Cisco AnyConnect Secure Mobility Client Software that is running on the end machine determines which configurations the user must check. The configuration settings discussed in the following subsections are in the AnyConnectLocalPolicy.xml file. This file is in the following locations: Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ macOS: /opt/cisco/anyconnect/ Linux: /opt/cisco/anyconnect/ Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037 The vulnerability described in this advisory affects Cisco AnyConnect Secure Mobility Client Software releases 4.9.04053, 4.9.05042, and 4.9.06037 if RestrictScriptWebDeploy is set to the default value of false . To verify the RestrictScriptWebDeploy configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line: <RestrictScriptWebDeploy>false</RestrictScriptWebDeploy> If RestrictScriptWebDeploy is set to false, RestrictScriptWebDeploy is disabled and the device is affected by this vulnerability. If RestrictScriptWebDeploy is set to true , RestrictScriptWebDeploy is enabled and the device is not affected by this vulnerability. See the Workarounds section for additional optional but recommended settings. Cisco AnyConnect Secure Mobility Client Software Releases Earlier than Release 4.9.04053 The vulnerability described in this advisory affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.9.04053 if BypassDownloader is set to the default value of false. To verify the BypassDownloader configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line: <BypassDownloader>false</BypassDownloader> If BypassDownloader is set to false , BypassDownloader is disabled and the device is affected by this vulnerability. If BypassDownloader is set to true, BypassDownloader is enabled and the device is not affected by this vulnerability. Note: Setting BypassDownloader to true is not a recommended configuration. See the Workarounds section for more details. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. This vulnerability does not affect Cisco AnyConnect Secure Mobility Client for Apple iOS or Android platforms or for the Universal Windows Platform. Details o Details about the vulnerability are as follows. This vulnerability is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device. This vulnerability is not remotely exploitable, as it requires local credentials on the end-user device for the attacker to take action on the local system. This vulnerability is not a privilege elevation exploit. The scripts run at the user level by default. If the local AnyConnect user manually raises the privilege of the User Interface process, the scripts would run at elevated privileges. This vulnerability's CVSS score is high because, for configurations where the vulnerability is exploitable, it allows one user access to another user's data and execution space. Workarounds o Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053. The settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations section of this advisory. Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093 Releases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 with no additional configuration required. See the Recommendations section for additional optional but recommended settings. Upgrade instructions for systems where workarounds were previously applied This section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes or Configuration Guide . The following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations: Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ macOS: /opt/cisco/anyconnect/ Linux: /opt/cisco/anyconnect/ AnyConnect AnyConnectLocalPolicy.xml Instructions Secure Settings Mobility Client Software Release Earlier Previously deployed 1. Upgrade to 4.10 using a than AnyConnectLocalPolicy.xml predeploy method. 4.9.04053 settings: 2. Redistribute the AnyConnectLocalPolicy.xml o BypassDownloader= true file with new settings using an out-of-band New AnyConnectLocalPolicy.xml deployment method. settings: 3. Apply the new 4.10 settings shown in the o BypassDownloader=false Recommendations section. 4.9.04053, Previously deployed 1. Upgrade to 4.10 using 4.9.05042, AnyConnectLocalPolicy.xml either a predeploy or 4.9.06037 settings: webdeploy method. 2. Redistribute ^1 the o RestrictScriptWebDeploy=true AnyConnectLocalPolicy.xml o RestrictHelpWebDeploy=true file with new settings o RestrictResourceWebDeploy= using an out-of-band true deployment method. o RestrictLocalizationWebDeploy 3. Apply the new 4.10 =true settings shown in the o BypassDownloader=false Recommendations section. New AnyConnectLocalPolicy.xml settings: o RestrictScriptWebDeploy=false o RestrictHelpWebDeploy=false o RestrictResourceWebDeploy= false o RestrictLocalizationWebDeploy =false o BypassDownloader=false 1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true , files must be distributed using an out-of-band deployment method. Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037 For customers who have already applied the RestrictScriptWebDeploy workaround For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability. To restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method. For customers who cannot upgrade to Release 4.10.00093 or later For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false . The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment. There are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes or Cisco bug ID CSCvw48062 . These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability. RestrictScriptWebDeploy RestrictHelpWebDeploy RestrictResourceWebDeploy RestrictLocalizationWebDeploy The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights. 1. Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations: Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ macOS:/opt/cisco/anyconnect/ Linux:/opt/cisco/anyconnect/ 2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines: <RestrictScriptWebDeploy>false</RestrictScriptWebDeploy> <RestrictHelpWebDeploy>false</RestrictHelpWebDeploy> <RestrictResourceWebDeploy>false</RestrictResourceWebDeploy> <RestrictLocalizationWebDeploy>false</RestrictLocalizationWebDeploy> 3. Change that setting to true , as shown in the following example: <RestrictScriptWebDeploy>true</RestrictScriptWebDeploy> <RestrictHelpWebDeploy>true</RestrictHelpWebDeploy> <RestrictResourceWebDeploy>true</RestrictResourceWebDeploy> <RestrictLocalizationWebDeploy>true</RestrictLocalizationWebDeploy> 4. Verify that the BypassDownloader setting is correct by looking for the following line: <BypassDownloader>false</BypassDownloader> 5. If the BypassDownloader setting is true , change it to false , as shown in the following example: <BypassDownloader>false</BypassDownloader> 6. Save the file to the original location. The network paths are noted above. 7. Restart the VPN Agent service or reboot the client machine. Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053 For customers who have already applied the BypassDownloader mitigation For customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended , customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section. For customers who cannot upgrade to Release 4.10.00093 or later For customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation. Warning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true , VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend. Note: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications: All future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device. AnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection. The procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights. 1. Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations: Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ macOS:/opt/cisco/anyconnect/ Linux: /opt/cisco/anyconnect/ 2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following line: <BypassDownloader>false</BypassDownloader> 3. Change that setting to true , as shown in the following example: <BypassDownloader>true</BypassDownloader> 4. Save the file to the original location. The network paths are noted above. 5. Restart the VPN Agent service or reboot the client machine. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in Cisco AnyConnect Secure Mobility Client Software releases 4.10.00093 and later. Recommendations o Cisco AnyConnect Secure Mobility Client Software 4.10.00093 introduced new settings. It is now possible to individually allow/disallow scripts, help, resources, or localization updates in the local policy. These new settings are strongly recommended for increased protection. The full set of restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the AnyConnect Local Policy section of the administrator guide. Configuration Setting Name Default Recommended Value Configuration Setting Value StrictCertificateTrust False True RestrictServerCertStore False True AllowSoftwareUpdatesFromAnyServer True False AllowComplianceUpdatesModuleFromAnyServer True False AllowManagementVPNProfileUpdatesFromAnyServer True False AllowISEPostureProfileUpdatesFromAnyServer True False AllowServiceProfileUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowHelpUpdatesFromAnyServer True False AllowResourceUpdatesFromAnyServer True False AllowLocalizationUpdatesFromAnyServer True False List of authorized servers. ServerName Blank Can use wildcards, for example *.cisco.com BypassDownloader is not a new setting, but ensure that it is set to false. Configuration Setting Default Recommended Configuration Setting Name Value Value BypassDownloader False False To configure the recommended settings on Release 4.10.00093 and later, edit the AnyConnectLocalPolicy.xml file to change configuration values to the recommended values listed in the preceding table. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines. The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights. 1. Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations: Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ macOS:/opt/cisco/anyconnect/ Linux:/opt/cisco/anyconnect/ 2. Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines: <BypassDownloader> false </BypassDownloader> <StrictCertificateTrust> true </StrictCertificateTrust> <RestrictServerCertStore> true </RestrictServerCertStore> <AllowSoftwareUpdatesFromAnyServer> false </ AllowSoftwareUpdatesFromAnyServer> <AllowComplianceUpdatesModuleFromAnyServer> false </ AllowComplianceUpdatesModuleFromAnyServer> <AllowManagementVPNProfileUpdatesFromAnyServer> false </ AllowManagementVPNProfileUpdatesFromAnyServer> <AllowISEPostureProfileUpdatesFromAnyServer> false </ AllowISEPostureProfileUpdatesFromAnyServer> <AllowServiceProfileUpdatesFromAnyServer> false </ AllowServiceProfileUpdatesFromAnyServer> <AllowScriptUpdatesFromAnyServer> false </ AllowScriptUpdatesFromAnyServer> <AllowHelpUpdatesFromAnyServer> false </AllowHelpUpdatesFromAnyServer> <AllowResourceUpdatesFromAnyServer> false </ AllowResourceUpdatesFromAnyServer> <AllowLocalizationUpdatesFromAnyServer> false </ AllowLocalizationUpdatesFromAnyServer> 3. If the configuration setting values do not match the values shown above, change them. 4. Add authorized server names to the configuration file: <ServerName> *.example.com </ServerName> 5. Save the file to the original location. The network paths are noted above. 6. Restart the VPN Agent service or reboot the client machine. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt) for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK Revision History o +---------+--------------------+-------------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+--------------------+-------------------+--------+-------------+ | | Updated the | | | | | | BypassDownloader | | | | | 4.1 | tagging examples | Workarounds, | Final | 2021-MAY-21 | | | to include the | Recommendations | | | | | closing "/" in | | | | | | three instances. | | | | +---------+--------------------+-------------------+--------+-------------+ | | | Summary, | | | | | Added fixed | Vulnerable | | | | | release | Products, | | | | | information. Added | Products | | | | 4.0 | Universal Windows | Confirmed Not | Final | 2021-MAY-12 | | | Platform | Vulnerable, | | | | | information. | Workarounds, | | | | | | Fixed Releases, | | | | | | Recommendations | | | +---------+--------------------+-------------------+--------+-------------+ | | Added information | Summary, | | | | | about the | Vulnerable | | | | 3.0 | enhancement | Products, Work | Final | 2020-DEC-04 | | | CSCvw48062. | Arounds, Fixed | | | | | | Releases | | | +---------+--------------------+-------------------+--------+-------------+ | | Added additional | | | | | | details on the | Details, | | | | 2.2 | vulnerability. | Workarounds | Final | 2020-NOV-10 | | | Clarified the | | | | | | mitigation. | | | | +---------+--------------------+-------------------+--------+-------------+ | | Clarified | | | | | 2.1 | mitigation | Workarounds | Final | 2020-NOV-09 | | | information. | | | | +---------+--------------------+-------------------+--------+-------------+ | | Clarified the | | | | | | requirements for a | | | | | | successful attack. | Summary, | | | | 2.0 | Corrected | Vulnerable | Final | 2020-NOV-05 | | | information about | Products, | | | | | vulnerable | Workarounds | | | | | configurations and | | | | | | mitigations. | | | | +---------+--------------------+-------------------+--------+-------------+ | 1.0 | Initial public | - | Final | 2020-NOV-04 | | | release. | | | | +---------+--------------------+-------------------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco AnyConnect Secure Mobility Client for Windows Arbitrary File Read Vulnerability Priority: Medium Advisory ID: cisco-sa-anyconnect-file-read-LsvDD6Uh First Published: 2020 November 4 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvv66094 CVE-2020-27123 CWE-749 Summary o A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to read arbitrary files on the underlying operating system of an affected device. The vulnerability is due to an exposed IPC function. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process on an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system of the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-anyconnect-file-read-LsvDD6Uh Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco AnyConnect Secure Mobility Client for Windows releases earlier than Release 4.9.03047. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco AnyConnect Secure Mobility Client for Windows releases 4.9.03047 and later contained the fix for this vulnerability. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Antoine Goichot of PwC Luxembourg's Cybersecurity team for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-anyconnect-file-read-LsvDD6Uh Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-NOV-04 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYKsaeuNLKJtyKPYoAQhFmw//VaeGJL2cMNKMqaZglV7ZdhprIpv3w62l /hzL9sQv9Dwibba1sUPKC8ptTabjjUGMTCpJFC8kQBd6bjsFdM+J5GCzpYM03OtX FPBESNOhdw82JOQnMmeT183vL80HFDXSMQACAosuZofb6vgyGxqqGCUIkFYOGA4u fa6nXEgtNTpIdI3qqTmcDDWrc4Cx2cavyXc01GeacKRxIfDVo1qNVLuTsw5RVFqf YuLE1V0Oa1gs1oiysCkc/1MjHmeptnShCJrsNKEYliCLPz2QCxMKN6tYeUsFF8fn guWIhrUJVVrPY1UAtmz6Y7nP9mFVd6YLjPy4fARXTOxkpp3CtpzAWJ4nC6vV0lh3 LH836irjqCmiB70AvkiF/rIdftYlevXZq4u7SnihtRzCjmvMmCnz1keoatTapl95 LQROV7Fb/jJCq+iBNJzDJ3k6ITwVQxitRE1d+OGt8NEbKfdSuq4cufcFJkuz4UjO O6RsiK+Pg0DkWPyvzNq1xBUvX2KR4sFfE8OeLZLtOasdSKuQC4YWYphLBYjmyacx 3R3hjawJvkwzs5ZnygJVExGL1x51oxYy2S97KqpmFCBmMqAkN00f77VqDTrc2kjl meMUS9qoMHkDVwbiAQgBw0yr4z6w6NFWTme3ANcga6KJGuFjm6odPYyXccms01+Y heIOetlsdi8= =h42B -----END PGP SIGNATURE-----