Cisco is urging customers of its AnyConnect service to apply a fix for a several years-old vulnerabilities after it spotted them being abused in the wild.
The two vulnerabilities in question are tracked as CVE-2020-3433 and CVE-2020-3153. They are found in the Cisco AnyConnect Secure Mobility Client for Windows and allow local threat actors to run DLL hijacking attacks and use system-level privileges to copy files to system directories. Should they succeed, they could run arbitrary code on target endpoints with system privileges, it was added.
Exploiting the flaws isn’t that easy, though, as it requires the attackers to have system credentials. However, there are proof-of-concept exploits out there, showing how these vulnerabilities could be tied together with Windows privilege escalation flaws.
Patching recommended
The flaws were patched (opens in new tab) in 2020, but Cisco has now been forced to ring the bell again following evidence pointing to new abuse.
“In October 2022, the Cisco PSIRT became aware of additional attempted exploitation of this vulnerability in the wild,” it said. “Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.”
Further proof of exploitation in the wild comes from the US Cybersecurity and Infrastructure Security Agency (CISA). The organization has recently added these two Cisco flaws to its Known Exploited Vulnerabilities catalog – a catalog that lists flaws being used by threat actors. Being added also means all Federal Civilian Executive Branch Agencies (FCEB) are forced, by the November 2021 binding operational directive (BOD 22-01), to apply the patches or otherwise mitigate the problem immediately.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” CISA added. Federal agencies have until November 11 to get the job done.
Cisco AnyConnect Secure Mobility Client is a tool offering secure enterprise network access from any endpoint (opens in new tab).
Via: BleepingComputer (opens in new tab)
