Exploit emerges for Cisco VPN client vulnerability

By

Arbitrary file deletion created privilege escalation vector.

A security researcher has published an exploit for a Cisco vulnerability that was patched earlier this month.

Exploit emerges for Cisco VPN client vulnerability

The vulnerability, CVE-2023-20178, is a privilege escalation bug.

In its advisory, Cisco explained that “a vulnerability in the client update process of Cisco AnyConnect secure mobility client software for Windows, and Cisco Secure Client software for Windows, could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM.

"The client update process is executed after a successful VPN connection is established," the vendor stated.

“This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. 

“An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process.

"A successful exploit could allow the attacker to execute code with SYSTEM privileges.”

Cisco attributed discovery of the vulnerability to Filip Dragovic, who has now posted a proof-of-concept to GitHub.

Dragovic said the problem exists in the vpndownloader.exe process, which updates the client software on launch.

The updater creates a temp directory which is deleted if there are no updates to run.

“This behaviour can be abused to perform arbitrary file delete as NT Authority\SYSTEM account,” Dragovic wrote.

“Arbitrary file delete is then used to spawn system cmd processes by abusing windows installer behaviour."

The arbitrary delete can be used for privilege escalation, for example, by removing a high-privilege directory and creating a low-privilege directory with the same name, as the Zero Day Initiative describes in this article.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?