Cisco reveals major AnyConnect VPN security flaw

News
By published

New Cisco vulnerability currently has no workaround

VPN
VPN-tjänster har många olika funktioner - här är de allra viktigaste du ska kolla efter. (Image credit: Shutterstock.com)

Cisco has revealed a zero-day vulnerability affecting its AnyConnect Secure Mobility Client software that has a proof-of-concept exploit code publicly available online.

The vulnerability, tracked as CVE-2020-3556, could allow a threat actor to run malicious code through a victim’s device. The flaw affects all client versions of AnyConnect operating across Windows, Linux and Mac operating systems.

According to Cisco’s internal security team, however, the security bug has not yet been exploited in the wild, and the good news is that devices running versions of AnyConnect with default configurations are not at risk. This particular security flaw requires both the Auto Update setting and the Enable Scripting settings to be enabled. By default, Enable Scripting is disabled.

Mitigation strategies

Cisco has pledged to release a free software update to address this vulnerability, although no timescale has been provided. There are currently no workarounds that address the bug, but mitigation options are available to users.

“A mitigation for this vulnerability is to disable the Auto Update feature. Additional details can be found in the Disabling AnyConnect Auto Update section of the Cisco AnyConnect Secure Mobility Client Administrator Guide,” the Cisco Security Advisory explained. “If the Auto Update feature cannot be disabled, disabling the Enable Scripting configuration setting would reduce the attack surface.”

Other positives include the fact that the Android and iOS versions of AnyConnect are not affected and that any exploit requires an active AnyConnect session to be taking place, limiting attack opportunities.

The AnyConnect vulnerability is not the only security issue affecting Cisco products at the moment. A host of other bugs, affecting identity services, emails and Webex, are also being investigated.

Via BleepingComputer

TOPICS
Barclay Ballard
Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things. 

Latest in VPN Privacy & Security
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Neon blue email symbols on a black background
Why am I suddenly getting so many spam emails?
A computer file surrounded by red laser beams
Cover your tracks: the risk of sending unencrypted files
Latest in News
Netflix Ads
Netflix adds HDR10+ support – great news for Samsung TV owners, but don't expect LG and Sony to do the same any time soon
FiiO FX17 IEMs
Our favorite budget audiophile brand unveils wired earbuds with 26(!) drivers, electrostatic units, USB-C ultra-Hi-Res Audio, and a not-so-budget price
Nvidia RTX 5080 against a yellow TechRadar background
RTX 5080 24GB version teased by MSI - is it time to admit that 16GB isn't enough for 4K?
A close up of the PlayStation symbol at the top of a PS5 Slim console with a white brick background
Sony has dropped a new PS5 update, improving activities and adding more emoji support
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
More about vpn privacy security
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background

A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address

What does your IP address reveal about you?
Under Armour Infinite Elite 2

The Under Armour Infinite Elite 2 is my new favorite running shoe, but not because of its looks
See more latest
Most Popular
A close up of the PlayStation symbol at the top of a PS5 Slim console with a white brick background
Sony has dropped a new PS5 update, improving activities and adding more emoji support
Netflix Ads
Netflix adds HDR10+ support – great news for Samsung TV owners, but don't expect LG and Sony to do the same any time soon
Nvidia RTX 5080 against a yellow TechRadar background
RTX 5080 24GB version teased by MSI - is it time to admit that 16GB isn't enough for 4K?
Google Pixel 9a being held, from the back
The Google Pixel 9a’s mysterious delay may have just been explained
Nintendo Sound Clock: Alarmo
Nintendo Sound Clock: Alarmo gets new update with more customizable features ahead of the Switch 2 Direct
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
FiiO FX17 IEMs
Our favorite budget audiophile brand unveils wired earbuds with 26(!) drivers, electrostatic units, USB-C ultra-Hi-Res Audio, and a not-so-budget price
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
ChatGPT Advanced Voice mode on a smartphone.
Talking to ChatGPT just got better, and you don’t need to pay to access the new functionality