Cisco has fixed a six-month-old zero-day vulnerability found in the Cisco AnyConnect Secure Mobility Client VPN software, with publicly available proof-of-concept exploit code.
The company’s AnyConnect Secure Mobility Client allows working on corporate devices connected to a secure Virtual Private Network (VPN) through Secure Sockets Layer (SSL) and IPsec IKEv2 using VPN clients available for all major desktop and mobile platforms.
Cisco disclosed the zero-day bug tracked as CVE-2020-3556 in November 2020 without releasing security updates but provided mitigation measures to decrease the attack surface.
While the Cisco Product Security Incident Response Team (PSIRT) said that CVE-2020-355 proof-of-concept exploit code is available, it also added that there is no evidence of attackers exploiting it in the wild.
The vulnerability is now addressed n Cisco AnyConnect Secure Mobility Client Software releases 4.10.00093 and later.
These new versions also introduce new settings to help individually allow/disallow scripts, help, resources, or localization updates in the local policy, settings that are strongly recommended for increased protection.
This high severity vulnerability was found in Cisco AnyConnect Client’s interprocess communication (IPC) channel, and it may allow authenticated and local attackers to execute malicious scripts via a targeted user.
CVE-2020-3556 affects all Windows, Linux, and macOS client versions with vulnerable configurations; however, mobile iOS and Android clients are not impacted.
“A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled,” Cisco explains in the security advisory. “Auto Update is enabled by default, and Enable Scripting is disabled by default.”
As further disclosed by the company, successful exploitation also requires active AnyConnect sessions and valid credentials on the targeted device.
Cisco added that the vulnerability:
For at least the third time since the beginning of this year, the U.S. government is investigating a hack against federal agencies that began during the Trump administration but was only recently discovered, according to senior U.S. officials and private sector cyber defenders.
It is the latest so-called supply chain cyberattack, highlighting how sophisticated, often government-backed groups are targeting vulnerable software built by third parties as a stepping-stone to sensitive government and corporate computer networks.
The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into as customers used it.
More than a dozen federal agencies run Pulse Secure on their networks, according to public contract records. An emergency cybersecurity directive last week demanded that agencies scan their systems for related compromises and report back.
The results, collected on Friday and analyzed this week, show evidence of potential breaches in at least five federal civilian agencies, said Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security Agency.
“This is a combination of traditional espionage with some element of economic theft,” said one cybersecurity consultant familiar with the matter. “We’ve already confirmed data exfiltration across numerous environments.”
The maker of Pulse Secure, Utah-based software company Ivanti, said it expected to provide a patch to fix the problem by this Monday, two weeks after it was first publicized. Only a “very limited number of customer systems” had been penetrated, it added.
Over the last two months, CISA and the FBI have been working with Pulse Secure and victims of the hack to kick out the intruders and uncover other evidence, said another senior U.S. official who declined to be named but is responding to the hacks. The FBI, Justice Department and National Security Agency declined to comment.
The U.S. government’s investigation into the Pulse Secure activity is still in its early stages, said the senior U.S. official, who added the scope, impact and attribution remain unclear.
Security researchers at U.S. cybersecurity firm FireEye…