Cisco finally patches months-old VPN security flaw
It’s taken Cisco just about six months to repair a crucial zero-day arbitrary code execution vulnerability in the Cisco AnyConnect Secure Mobility Consumer VPN program.
The Cisco Merchandise Security Incident Response Staff (PSIRT) originally disclosed the vulnerability in November 2020 with no releasing a protection update.
Back again in November PSIRT acknowledged the presence of a proof-of-thought code that exploited the vulnerability, tracked as CVE-2020-3556. Even so, even in its most up-to-date advisory saying the repair, Cisco said it had located no evidence of attackers exploiting the vulnerability in the wild.
We’re searching at how our audience use VPN for a forthcoming in-depth report. We might love to hear your feelings in the study beneath. It is not going to just take extra than 60 seconds of your time.
>> Click below to get started the study in a new window<<
The vulnerability exists in Cisco’s AnyConnect Secure Mobility Consumer, which allows distant personnel to connect to the corporate community by means of a safe VPN link set up with the assist of Secure Sockets Layer (SSL) and IPsec IKEv2 protocol.
A weakness in the inter-approach conversation (IPC) channel of the Secure Mobility Consumer could allow for an authenticated, community attacker to allow for a focused AnyConnect user to execute a destructive script.
Update to mitigate
In accordance to Cisco, the vulnerability existed thanks to a lack of authentication to the IPC listener. An attacker could exploit this shortcoming to ship crafted IPC messages to the AnyConnect consumer IPC listener, which could then result in the focused AnyConnect user to execute a script.
As the organization disclosed in November, successful exploitation involves lively AnyConnect periods and valid qualifications on the focused device.
The vulnerability is now addressed in the most up-to-date edition of the Secure Mobility Consumer Software package launch. Cisco also said that consumers who can not right away put in the protection updates can however mitigate the vulnerability by toggling off the Automobile Update attribute.
To further improve the protection around its networking products and solutions, Cisco has a short while ago obtained the makers of a risk assessment and vulnerability administration system, Kenna Security.
Via BleepingComputer