Cisco Security Advisory
Click Icon to Copy Verbose Score
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
-
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.
The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.
Note: To successfully exploit this vulnerability, an attacker would need all of the following:
- Valid user credentials on the system on which the AnyConnect client is being run by the targeted user.
- To be able to log in to that system while the targeted user either has an active AnyConnect session established or establishes a new AnyConnect session.
- To be able to execute code on that system.
Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK
-
Vulnerable Products
This vulnerability affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.10.00093 for the following platforms if they have a vulnerable configuration:
- AnyConnect Secure Mobility Client for Windows
- AnyConnect Secure Mobility Client for MacOS
- AnyConnect Secure Mobility Client for Linux
The following subsections describe how to determine vulnerability for specific releases of Cisco AnyConnect Secure Mobility Client Software. The release of Cisco AnyConnect Secure Mobility Client Software that is running on the end machine determines which configurations the user must check.
The configuration settings discussed in the following subsections are in the AnyConnectLocalPolicy.xml file. This file is in the following locations:
- Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
- macOS: /opt/cisco/anyconnect/
- Linux: /opt/cisco/anyconnect/
Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037
The vulnerability described in this advisory affects Cisco AnyConnect Secure Mobility Client Software releases 4.9.04053, 4.9.05042, and 4.9.06037 if RestrictScriptWebDeploy is set to the default value of false.
To verify the RestrictScriptWebDeploy configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line:
<RestrictScriptWebDeploy>false</RestrictScriptWebDeploy>If RestrictScriptWebDeploy is set to false, RestrictScriptWebDeploy is disabled and the device is affected by this vulnerability. If RestrictScriptWebDeploy is set to true, RestrictScriptWebDeploy is enabled and the device is not affected by this vulnerability.
See the Workarounds section for additional optional but recommended settings.
Cisco AnyConnect Secure Mobility Client Software Releases Earlier than Release 4.9.04053
The vulnerability described in this advisory affects all releases of Cisco AnyConnect Secure Mobility Client Software earlier than Release 4.9.04053 if BypassDownloader is set to the default value of false.
To verify the BypassDownloader configuration setting on a VPN client system, open the AnyConnectLocalPolicy.xml file and look for the following line:
<BypassDownloader>false</BypassDownloader>If BypassDownloader is set to false, BypassDownloader is disabled and the device is affected by this vulnerability. If BypassDownloader is set to true, BypassDownloader is enabled and the device is not affected by this vulnerability.
Note: Setting BypassDownloader to true is not a recommended configuration. See the Workarounds section for more details.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
This vulnerability does not affect Cisco AnyConnect Secure Mobility Client for Apple iOS or Android platforms or for the Universal Windows Platform.
-
Details about the vulnerability are as follows.
- This vulnerability is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device.
- This vulnerability is not remotely exploitable, as it requires local credentials on the end-user device for the attacker to take action on the local system.
- This vulnerability is not a privilege elevation exploit. The scripts run at the user level by default. If the local AnyConnect user manually raises the privilege of the User Interface process, the scripts would run at elevated privileges.
- This vulnerability’s CVSS score is high because, for configurations where the vulnerability is exploitable, it allows one user access to another user’s data and execution space.
-
Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.
The settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations section of this advisory.
Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093
Releases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 with no additional configuration required. See the Recommendations section for additional optional but recommended settings.
Upgrade instructions for systems where workarounds were previously applied
This section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes or Configuration Guide.
The following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:
- Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
- macOS: /opt/cisco/anyconnect/
- Linux: /opt/cisco/anyconnect/
AnyConnect Secure Mobility Client Software Release AnyConnectLocalPolicy.xml Settings Instructions Earlier than 4.9.04053
Previously deployed AnyConnectLocalPolicy.xml settings:
- BypassDownloader= true
New AnyConnectLocalPolicy.xml settings:
- BypassDownloader=false
- Upgrade to 4.10 using a predeploy method.
- Redistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
- Apply the new 4.10 settings shown in the Recommendations section.
4.9.04053, 4.9.05042, 4.9.06037
Previously deployed AnyConnectLocalPolicy.xml settings:
- RestrictScriptWebDeploy=true
- RestrictHelpWebDeploy=true
- RestrictResourceWebDeploy=true
- RestrictLocalizationWebDeploy=true
- BypassDownloader=false
New AnyConnectLocalPolicy.xml settings:
- RestrictScriptWebDeploy=false
- RestrictHelpWebDeploy=false
- RestrictResourceWebDeploy=false
- RestrictLocalizationWebDeploy=false
- BypassDownloader=false
- Upgrade to 4.10 using either a predeploy or webdeploy method.
- Redistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
- Apply the new 4.10 settings shown in the Recommendations section.
1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037
For customers who have already applied the RestrictScriptWebDeploy workaround
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.
To restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment.
There are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes or Cisco bug ID CSCvw48062. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.
- RestrictScriptWebDeploy
- RestrictHelpWebDeploy
- RestrictResourceWebDeploy
- RestrictLocalizationWebDeploy
The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.
- Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
- Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
- macOS:/opt/cisco/anyconnect/
- Linux:/opt/cisco/anyconnect/
- Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:
<RestrictScriptWebDeploy>false</RestrictScriptWebDeploy> <RestrictHelpWebDeploy>false</RestrictHelpWebDeploy> <RestrictResourceWebDeploy>false</RestrictResourceWebDeploy> <RestrictLocalizationWebDeploy>false</RestrictLocalizationWebDeploy>
- Change that setting to true, as shown in the following example:
<RestrictScriptWebDeploy>true</RestrictScriptWebDeploy> <RestrictHelpWebDeploy>true</RestrictHelpWebDeploy> <RestrictResourceWebDeploy>true</RestrictResourceWebDeploy> <RestrictLocalizationWebDeploy>true</RestrictLocalizationWebDeploy>
- Verify that the BypassDownloader setting is correct by looking for the following line:
<BypassDownloader>false</BypassDownloader> - If the BypassDownloader setting is true, change it to false, as shown in the following example:
<BypassDownloader>false</BypassDownloader> - Save the file to the original location. The network paths are noted above.
- Restart the VPN Agent service or reboot the client machine.
Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053
For customers who have already applied the BypassDownloader mitigation
For customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.
Warning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.
Note: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:
- All future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.
- AnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.
The procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.
- Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
- Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
- macOS:/opt/cisco/anyconnect/
- Linux: /opt/cisco/anyconnect/
- Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:
<BypassDownloader>false</BypassDownloader> - Change that setting to true, as shown in the following example:
<BypassDownloader>true</BypassDownloader> - Save the file to the original location. The network paths are noted above.
- Restart the VPN Agent service or reboot the client machine.
-
Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.htmlAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
Cisco fixed this vulnerability in Cisco AnyConnect Secure Mobility Client Software releases 4.10.00093 and later.
-
Cisco AnyConnect Secure Mobility Client Software 4.10.00093 introduced new settings. It is now possible to individually allow/disallow scripts, help, resources, or localization updates in the local policy. These new settings are strongly recommended for increased protection. The full set of restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the AnyConnect Local Policy section of the administrator guide.
Configuration Setting Name Default Value Recommended Configuration Setting Value StrictCertificateTrust False True RestrictServerCertStore False True AllowSoftwareUpdatesFromAnyServer True False AllowComplianceUpdatesModuleFromAnyServer True False AllowManagementVPNProfileUpdatesFromAnyServer True False AllowISEPostureProfileUpdatesFromAnyServer True False AllowServiceProfileUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowScriptUpdatesFromAnyServer True False AllowHelpUpdatesFromAnyServer True False AllowResourceUpdatesFromAnyServer True False AllowLocalizationUpdatesFromAnyServer True False ServerName Blank List of authorized servers.
Can use wildcards, for example *.cisco.comBypassDownloader is not a new setting, but ensure that it is set to false.
Configuration Setting Name Default Value Recommended Configuration Setting Value BypassDownloader False False To configure the recommended settings on Release 4.10.00093 and later, edit the AnyConnectLocalPolicy.xml file to change configuration values to the recommended values listed in the preceding table. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines.
The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.
- Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
- Windows:<DriveLetter>:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\
- macOS:/opt/cisco/anyconnect/
- Linux:/opt/cisco/anyconnect/
- Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:
<BypassDownloader>false</BypassDownloader>
<StrictCertificateTrust>true</StrictCertificateTrust>
<RestrictServerCertStore>true</RestrictServerCertStore>
<AllowSoftwareUpdatesFromAnyServer>false</AllowSoftwareUpdatesFromAnyServer>
<AllowComplianceUpdatesModuleFromAnyServer>false</AllowComplianceUpdatesModuleFromAnyServer>
<AllowManagementVPNProfileUpdatesFromAnyServer>false</AllowManagementVPNProfileUpdatesFromAnyServer>
<AllowISEPostureProfileUpdatesFromAnyServer>false</AllowISEPostureProfileUpdatesFromAnyServer>
<AllowServiceProfileUpdatesFromAnyServer>false</AllowServiceProfileUpdatesFromAnyServer>
<AllowScriptUpdatesFromAnyServer>false</AllowScriptUpdatesFromAnyServer>
<AllowHelpUpdatesFromAnyServer>false</AllowHelpUpdatesFromAnyServer>
<AllowResourceUpdatesFromAnyServer>false</AllowResourceUpdatesFromAnyServer>
<AllowLocalizationUpdatesFromAnyServer>false</AllowLocalizationUpdatesFromAnyServer>- If the configuration setting values do not match the values shown above, change them.
- Add authorized server names to the configuration file:
<ServerName> *.example.com </ServerName> - Save the file to the original location. The network paths are noted above.
- Restart the VPN Agent service or reboot the client machine.
- Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:
-
The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.
-
Cisco would like to thank Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt) for reporting this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 4.1 Updated the BypassDownloader tagging examples to include the closing "/" in three instances. Workarounds, Recommendations Final 2021-MAY-21 4.0 Added fixed release information. Added Universal Windows Platform information. Summary, Vulnerable Products, Products Confirmed Not Vulnerable, Workarounds, Fixed Releases, Recommendations Final 2021-MAY-12 3.0 Added information about the enhancement CSCvw48062. Summary, Vulnerable Products, Work Arounds, Fixed Releases Final 2020-DEC-04 2.2 Added additional details on the vulnerability. Clarified the mitigation. Details, Workarounds Final 2020-NOV-10 2.1 Clarified mitigation information. Workarounds Final 2020-NOV-09 2.0 Clarified the requirements for a successful attack. Corrected information about vulnerable configurations and mitigations. Summary, Vulnerable Products, Workarounds Final 2020-NOV-05 1.0 Initial public release. — Final 2020-NOV-04
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.