Cisco Releases Security Updates for Secure Client Software

Updates address two high severity vulnerabilities, one that could lead to arbitrary code execution and the other that could be used to establish a remote access VPN session with the privileges of the affected user

Threat ID:: CC-4463
Threat Severity:: Medium
Published:: 8 March 2024 5:21 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: 5.1, 5.0, 4.10.04065 and later

Cisco Secure Client for Windows

Versions: prior to 5.1.2.42

Cisco Secure Client for Linux

Cisco Secure Client for macOS

Threat details

Note to affected platforms for CVE-2024-20337

The vulnerability CVE-2024-20337 affects the following Cisco products if they are running a vulnerable release of Cisco Secure Client and the VPN headend is configured with the SAML External Browser feature:

Secure Client for Linux
Secure Client for macOS
Secure Client for Windows

Introduction

Cisco has released security updates to address two high severity vulnerabilities.

The vulnerability known as CVE-2024-20337 has a CVSSv3 score of 8.2 and is a client carriage return line feed (CRLF) injection vulnerability in the SAML authentication process of Cisco Secure Client. Exploitation of this vulnerability could allow a remote, unauthenticated attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token, by convincing a user to click a crafted link while establishing a VPN session. The attacker could then use the stolen SAML token to authenticate and establish a remote access VPN session with the privileges of the affected user.

A privilege escalation vulnerability known as CVE-2024-20338, which affects Cisco Secure Client for Linux, has a CVSSv3 score of 7.3. An authenticated, local attacker could exploit this vulnerability by copying a malicious library file to a specific directory and persuading an administrator to restart a specific process, which could allow the attacker to execute arbitrary code on an affected device with root privileges.

Remediation advice

Affected organisations are encouraged to review the following Cisco Security Advisories for more information.

Remediation steps

Type	Step
Patch	Cisco Secure Client Carriage Return Line Feed Injection Vulnerability \| cisco-sa-secure-client-crlf-W43V4G7 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7
Patch	Cisco Secure Client for Linux with ISE Posture Module Privilege Escalation Vulnerability \| cisco-sa-secure-privesc-sYxQO6ds https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-privesc-sYxQO6ds

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2024-20337

A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link while establishing a VPN session. A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token. The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.

Status Published

CVE-2024-20338

A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is due to the use of an uncontrolled search path element. An attacker could exploit this vulnerability by copying a malicious library file to a specific directory in the filesystem and persuading an administrator to restart a specific process. A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges.

Last edited: 8 March 2024 5:21 pm