Cisco finally patches months-old VPN security flaw

But it says there’s no evidence of the vulnerability being exploited in the wild

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

It’s taken Cisco almost six months to fix a critical zero-day arbitrary code execution vulnerability in the Cisco AnyConnect Secure Mobility ClientVPNsoftware.

The Cisco Product Security Incident Response Team (PSIRT)initially disclosed the vulnerabilityin November 2020 without releasing a security update.

Back in November PSIRT acknowledged the presence of a proof-of-concept code that exploited the vulnerability, tracked as CVE-2020-3556. However, even in its latest advisory announcing the fix, Cisco said it had found no evidence of attackers exploiting the vulnerability in the wild.

We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.

Click here to start the survey in a new window«

The vulnerability exists in Cisco’s AnyConnect Secure Mobility Client, which enablesremoteemployees to connect to the corporate network through a secure VPN connection established with the help of Secure Sockets Layer (SSL) and IPsec IKEv2 protocol.

A weakness in the inter-process communication (IPC) channel of the Secure Mobility Client could allow an authenticated, local attacker to allow a targeted AnyConnect user to execute a malicious script.

Update to mitigate

According to Cisco, the vulnerability existed due to a lack of authentication to the IPC listener. An attacker could exploit this shortcoming to send crafted IPC messages to the AnyConnect client IPC listener, which could then cause the targeted AnyConnect user to execute a script.

As the company disclosed in November, successful exploitation requires active AnyConnect sessions and valid credentials on the targeted device.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The vulnerability is now addressed in the latest version of the Secure Mobility Client Software release. Cisco also said that customers who cannot immediately install the security updates can still mitigate the vulnerability by toggling off the Auto Update feature.

To further strengthen the security around its networking products, Cisco hasrecently acquiredthe makers of a threat assessment and vulnerability management platform, Kenna Security.

ViaBleepingComputer

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Is it still worth using Proton VPN Free?

Mozambique VPN usage soars as internet restrictions continue

I’ve used Genmoji and now I’m convinced Apple Intelligence will be a huge success