Tech Support
Documentation
Login
Contact Us
Cisco VPN Hijacking Flaw In Secure Client Software Patched
Wajahat Raja
March 20, 2024 - TuxCare expert team
In light of recent events, Cisco has released patches for two high-severity network vulnerabilities in its Secure Client. As per recent reports, vulnerabilities leading to the Cisco VPN hijacking flaw are being tracked as CVE-2024-20337 and CVE-2024-20338. These VPN security vulnerabilities have a severity score of 8.2 and 7.3, respectively.
In this article, we’ll dive into the intricacies of the Cisco VPN hijacking flaw, how it could be exploited by threat actors, and the patch details.
Cisco VPN Hijacking Flaw: Understanding Secure Client
Understanding the Cisco Secure Client before diving into the details of the flaw is essential, as it can help comprehend the severity of the flaw more accurately.
The Cisco Secure Client is a security tool that offers both Virtual Private Network (VPN) and Zero Trust Network Architecture (ZTNA) support to both Information Technology (IT) and security professionals. The software is known for helping such professionals manage and scale security endpoint agents in a unified view.
Organizations using the Secure Client can ensure seamless VPN connections. In addition, they can also deploy advanced endpoint protection protocols across multiple control points. Secure Client can also be paired with other Cisco solutions, helping organizations increase visibility pertaining to endpoint application usage and user behavior.
Given this, the Cisco VPN hijacking flaw, if exploited, would lead to threat actors gaining remote access, allowing them to expand the attack surface.
CVE-2024-20337 and CVE-2024-20338 Uncovered
As per recent reports, both vulnerabilities leading to the Cisco VPN hijacking flaw were discovered by Paulos Yibelo Mesfin, a security researcher at Amazon.
The security research expert has been cited, stating that the VPN security vulnerability pair, if exploited, would allow threat actors to have access to local internal networks when the target user visits a website under their control. Either of the flaws in this VPN security vulnerability pair leads to somewhat similar consequences for the end user if exploited.
However, initiation protocols do vary. Understanding how one or the other high-severity network vulnerability could be exploited is essential for VPN hijacking mitigation and for developing a robust cybersecurity strategy.
CVE-2024-20337
This VPN security vulnerability is within the Secure Client’s SAML authentication process. If exploited, this high-severity network vulnerability would allow threat actors to initiate a Carriage Return Line Feed (CRLF) injection attack.
An attacker could take advantage of this vulnerability by tricking the user into clicking on a maliciously created link while they are setting up a VPN session. According to recent reports, cybercriminals could also exploit the VPN security vulnerability by executing arbitrary script code in the browser or by accessing sensitive information, including a SAML token.
This token is subsequently used for establishing a remote access VPN session where the threat actors have the privileges of the targeted user. It’s worth mentioning here that those running product versions without the Cisco vulnerability patch are at risk of an attack.
CVE-2024-20338
Unlike the previous one, this high-severity network vulnerability resides in the Secure Client’s System Scan module for Linux. Threat actors may exploit this vulnerability and elevate privileges they have maliciously acquired on affected devices.
This would allow them to expand the attack surface and infiltrate organizational networks to a greater extent. Providing further details, an excerpt from the Cisco security patch statement reads:
“This vulnerability is due to the use of an uncontrolled search path element. An attacker could exploit this vulnerability by copying a malicious library file to a specific directory in the filesystem and persuading an administrator to restart a specific process. A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges.”
Cisco Software Vulnerability Fix
As of now, there have been no reports of these vulnerabilities being actively exploited in the wild. It’s worth mentioning here that the vulnerability affects Secure Client for Windows, macOS, and Linux.
As far as cybersecurity patch management for the Cisco VPN hijacking flaw is concerned, versions before 4.10.04065 are not at risk. The Secure Client version 4.10.04065 later received the Cisco security patch in version 4.10.08025. Those using Secure Client versions 5.0 to 5.1 should migrate to 5.1.2.42.
Conclusion
In light of the recent discovery, it can be stated that the Cisco VPN hijacking flaw may lead to severe consequences, such as unauthorized access to internal networks and privilege execution if exploited.
To avoid falling prey to the high-severity network vulnerability, organizations should use the Cisco security patch and implement advanced cybersecurity protocols. Doing so would not only ensure protection but would also help them be more resilient and proactive in the ever-evolving cyber threat landscape.
The sources for this piece include articles in The Hacker News and Security Affairs.
