Cisco addressed a common vulnerability capable of launching DLL attacks on AnyConnect secure mobility client, the interprocess communication channel (IPC) for Windows. The patch addresses the vulnerability that affected Windows releases prior to release 4.9.00086. With a CVSS score of 7.8, CVE-2020-3433 was a high-severity bug with no workarounds. It also had previous revisions that were first recorded on 5 August, 2020.
Details about CVE-2020-3433
The bug permits anyone to initiate a DLL attack by sending a fake IPC message to the AnyConnect process. Cybercriminals could have exploited CVE-2020-3433 to run malicious codes in Windows applications. Several programs could be hit with a single infected file constituting DLL hijacking, making it possible for hackers to run arbitrary codes with system privileges possible to access files, delete documents, download information, and launch a denial-of-service (DoS) attack.
A DoS attack could also shut down devices as they receive a flood of traffic on its network, causing a system crash. However, launching this attack required the cybercriminal to have valid Windows system credentials. The vulnerability was because of limited validation of resources loaded at run time, making it easier to exploit.
However, it did not affect other products such as AnyConnect Secure Mobility Client for macOS, AnyConnect Secure Mobility Client for Linux, and AnyConnect Secure Mobility Client for mobile device operating systems, including iOS, Android, and Universal Windows Platform.
The IT and networking giant Cisco urged its users to apply the free software updates it made available. It will be a maintenance upgrade for most consumers for software purchased by them. Also, it stated that a legitimate license was necessary to access other installations, software, and help from the company.
The Cisco product security incident response team (PSIRT) added that the company was aware of the proof-of-concept exploit code.
As per the advisory, the company became aware of the previous exploitation of the same vulnerability in October 2022. Version 1.0 was released on 5 August 2020. Version 1.1 was made available on 13 August 2020. And version 1.2, owing to the vulnerability’s active exploitation, was released on 25 October 2022.